Sign in / up

back to article Sloppy string sanitization sabotages system security of millions of Java-powered 3G IoT kit: Patch me if you can

A vulnerability in Thales' Cinterion EHS8 M2M module, a Java-powered embedded 3G system used in millions of Internet-of-Things devices for connectivity, was revealed yesterday by IBM's X-Force Red. The bug (CVE-2020-15858), disclosed to Thales and addressed in a patch made available to IoT vendors in February, makes it …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. IGotOut Silver badge

    Why bother.

    Finding flaws in IoT tat is like shooting fix in a barrel with a howitzer.

    All IoT kit should be labelled as a privacy and security risk and only allowed to be connected to the internet if the vendors are legally responsable for updating for at least 5 years.

    6 0 Reply
    1. lglethal Silver badge
      Reply Icon
      Trollface

      Re: Why bother.

      Who is Fix? Why is he in a barrel? And does he really deserve to be shot? And who's supplying the Howitzer? Is the barrel in a location where there could be civilian casualties from a Howitzer shell?

      So many questions...

      10 0 Reply
      1. Anonymous Coward
        Reply Icon
        Angel

        Re: Why bother.

        The biggest question is what kind of round the howitzer uses? I'd suggest tactical nukes to make sure none of the fixes survive.

        1 0 Reply
  2. Hubert Cumberdale Silver badge

    Oh dear.

    (That is all.)

    1 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Firmware update via USB and serial interface...

    So - how are those devices in the field gonna get patched? I have the feeling a lot are going to be left unpatched.

    2 0 Reply
  4. Jason Bloomberg Silver badge

    I wonder how "a:/anything/../.hidden_file" would fare?

    I tripped myself up with that one by optimising away the 'down then up' without checking for the actual existence of the sub-directory but, as I explicitly checked the filename part, it didn't get through.

    Using escapes, "a:/\x2ehidden_file", or whatever, will often defeat lightweight checks. Finding parsing flaws, resetting the parser input stream with ';' and the like, was often the way to access hidden router pages and cgi executables.

    1 0 Reply
  5. dvd

    Thales? Don't worry - I'm sure that it doesn't reflect on the quality and security of their other kit - like Watchkeeper drones.

    2 0 Reply
    1. Starace
      Reply Icon
      Devil

      Well the problem was in Gemalto kit so take a wild guess...

      As for the drones you're better off asking Elbit.

      0 0 Reply
  6. Claptrap314 Silver badge
    Paris Hilton

    Isn't directory traversal on the OWASP list?

    It's not like there are no published libraries to get this right.....

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like