back to article Sloppy string sanitization sabotages system security of millions of Java-powered 3G IoT kit: Patch me if you can

A vulnerability in Thales' Cinterion EHS8 M2M module, a Java-powered embedded 3G system used in millions of Internet-of-Things devices for connectivity, was revealed yesterday by IBM's X-Force Red. The bug (CVE-2020-15858), disclosed to Thales and addressed in a patch made available to IoT vendors in February, makes it …

  1. IGotOut Silver badge

    Why bother.

    Finding flaws in IoT tat is like shooting fix in a barrel with a howitzer.

    All IoT kit should be labelled as a privacy and security risk and only allowed to be connected to the internet if the vendors are legally responsable for updating for at least 5 years.

    1. lglethal Silver badge

      Re: Why bother.

      Who is Fix? Why is he in a barrel? And does he really deserve to be shot? And who's supplying the Howitzer? Is the barrel in a location where there could be civilian casualties from a Howitzer shell?

      So many questions...

      1. Anonymous Coward

        Re: Why bother.

        The biggest question is what kind of round the howitzer uses? I'd suggest tactical nukes to make sure none of the fixes survive.

  2. Hubert Cumberdale Silver badge

    Oh dear.

    (That is all.)

  3. Anonymous Coward
    Anonymous Coward

    Firmware update via USB and serial interface...

    So - how are those devices in the field gonna get patched? I have the feeling a lot are going to be left unpatched.

  4. Jason Bloomberg Silver badge

    I wonder how "a:/anything/../.hidden_file" would fare?

    I tripped myself up with that one by optimising away the 'down then up' without checking for the actual existence of the sub-directory but, as I explicitly checked the filename part, it didn't get through.

    Using escapes, "a:/\x2ehidden_file", or whatever, will often defeat lightweight checks. Finding parsing flaws, resetting the parser input stream with ';' and the like, was often the way to access hidden router pages and cgi executables.

  5. dvd

    Thales? Don't worry - I'm sure that it doesn't reflect on the quality and security of their other kit - like Watchkeeper drones.

    1. Starace

      Well the problem was in Gemalto kit so take a wild guess...

      As for the drones you're better off asking Elbit.

  6. Claptrap314 Silver badge
    Paris Hilton

    Isn't directory traversal on the OWASP list?

    It's not like there are no published libraries to get this right.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like