If your IoT kit employs RabbitMQ, EMQ X or VerneMQ, it’s time to get patching
Synopsys Cybersecurity Research Centre (CyRC) has warned of easily triggered denial-of-service (DoS) vulnerabilities in three popular open-source Internet of Things message brokers: RabbitMQ, EMQ X, and VerneMQ.
The message brokers, responsible for handling data sent to or from IoT devices like smart home hubs and door locks, all share a common protocol: Message Queuing Telemetry Transport (MQTT), first released in 1999 for monitoring oil pipelines and since repurposed for a variety of home and industrial automation tasks. Any disruption in MQTT messaging could potentially leave users locked out of their homes and offices.
“Message brokers are software applications that serve as a messaging hub for complex systems,” said Jonathan Knudsen, Synopsys senior security strategist responsible for discovering the vulnerabilities, in the public disclosure. “They provide reliable communication channels between different components, serving as the nerve center of a complex system. As such, message brokers can also be a central point of failure.”
All three message brokers affected by Knudsen’s discovery can be fooled into bloating their memory usage until they are terminated by the host operating system by sending them a specially crafted MQTT message. Once terminated, any IoT device on the network which relies on the MQTT message broker will be rendered inoperable.
“If the message broker dies, system components won’t be able to communicate,” Knudsen continued. “CVE-2021-22116, CVE-2021-33175, and CVE-2021-33176 are denial of service vulnerabilities in three popular open source message brokers. They give attackers the opportunity to disable the message brokers, a denial-of-service attack that could have serious consequences.”
- ADT techie admits he peeked into women’s home security cams thousands of times to watch them undress, have sex
- Q&A: Crypto-guru Bruce Schneier on teaching tech to lawmakers, plus privacy failures – and a call to techies to act
- Open-source bug bonanza: Vulnerabilities up almost 50 per cent thanks to people actually looking for them
- When software depends on a project thanklessly maintained by a random guy in Nebraska, is open source sustainable?
The precise details of the vulnerability differ from system to system. While all are triggered by a malicious MQTT message, the message has to be written specifically for the target message broker. Knudsen’s research revealed three messages, each of which crashes a single message broker, but reported no luck in finding a single message capable of crashing all three – a small comfort to beleaguered system administrators.
Knudsen and CyRC privately disclosed the flaws to the project maintainers back in March, and all three have now been patched. RabbitMQ users are advised to upgrade to version 3.8.16 or above; EMQ X users to version 4.2.8 or above; and VerneMQ users to version 1.12.0 or above. ®
Other stories you might like
Ohio Attorney General asks courts to declare Google a public utility
Yup, just a Republican wanting a private business to be subjected to more government regulation
Dave Yost, Ohio’s top government legal eagle, has filed a lawsuit that asks the courts to declare Google Search a public utility and the company as a whole a common carrier — ie: more subject to government regulation.
Google is the most visited website in the Buckeye State, and in the world, the lawsuit [PDF] claims, and its dominant position makes it necessary for government watchdogs to step in. As such, Google must stop prioritising its own products over those of its rivals’ in its search results, and accept regulation by the Public Utilities Commission of Ohio.
“Google uses its dominance of internet search to steer Ohioans to Google’s own products — that’s discriminatory and anti-competitive,” Yost, Ohio’s Attorney General, claimed in a canned statement. “When you own the railroad or the electric company or the cellphone tower, you have to treat everyone the same and give everybody access.”
SK Hynix admits to DRAM defects, smacks down rumour it botched big batches
Admits ‘potential losses’ may result, says they won’t be significant
South Korean chip maker SK Hynix has admitted some of its DRAM components included defects, though it says accounts of the issue are overblown.
In a statement to The Register, the manufacturer wrote: “We can confirm that a defect was found in a few DRAM products.
“We’re currently talking to a limited number of customers affected by this to address the issue. While it’s too early to estimate the potential losses, we don’t think they would be that significant as the defect is within the range of typical quality issue check.”
Extra urgency in June’s Patch Tuesday: Microsoft warns six more bugs are being exploited
Adobe, Intel, SAP, Android emit vulnerability fixes, too
Patch Tuesday Microsoft’s traditional Patch Tuesday saw the software giant release fixes for 50 flaws, and a reminder to apply updates as soon as possible because six of them are being exploited in the wild by miscreants.
Potentially the most serious of the six, CVE-2021-33742, allows for remote code execution via the Windows MSHTML Platform. Details of this security hole have been disclosed in some form, we’re told. Shane Huntley, director of the Google’s Threat Analysis Group, noted a “commercial exploit company” seems to be linked to this vulnerability “for limited nation state Eastern Europe and Middle East targeting.”
The bug is present on PC and server platforms going all the way back to Windows 7, and comes with a CVSS score of 7.5. A maliciously crafted webpage or some other file can execute arbitrary code on the machine when opened and parsed by MSHTML, which is “used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control,” according to Microsoft.
FBI paid renegade developer $180k for backdoored AN0M chat app that brought down drug underworld
From hidden master keys to pineapples stuffed with Bolivian marching powder — this story has it all
The FBI has revealed how it managed to hoodwink the criminal underworld with its secretly backdoored AN0M encrypted chat app, leading to hundreds of arrests, the seizure of 32 tons of drugs, 250 firearms, 55 luxury cars, more than $148M, and even cocaine-filled pineapples.
About 12,000 smartphones with AN0M installed were sold into organized crime rings: the devices were touted as pure encrypted messaging tools — no GPS, email or web browsing, and certainly no voice calls, cameras, and microphones. They were “designed by criminals, for criminals exclusively,” one defendant told investigators, Randy Grossman, Acting US Attorney for the Southern District of California, told a press conference on Tuesday.
However, AN0M was forged in a joint operation by Australian and US federal law enforcement, and was deliberately and surreptitiously engineered so that agents could peer into the encrypted conversations and read crooks’ messages. After Australia’s police broke the news that the messaging app had recorded everything from drug deals to murder plots — leading to hundreds of arrests — now the FBI has spilled its side of the story, revealing a complex sting dubbed Operation Trojan Shield.
It’s completely unsupportable. Yes, we mean your brand new system
The problem started when those ridiculous users … oh, hang on. It started in the IT department
Feature The concept of “shadow IT” is a familiar one. One of my favourite descriptions of it comes from security vendor Forcepoint, which says shadow IT is “the use of information technology systems, devices, software, applications, and services without explicit IT department approval.”
It has grown exponentially in recent years with the adoption of cloud-based applications and services.
The majority of organisations — particularly the IT and security teams — are conscious of the potential threats from shadow IT and are on the lookout for it so it can be stamped on. Yet many such organisations are, in parallel, running activities whose outcomes can present just as big a problem as shadow IT.
With incoming iOS 15, update refuseniks will be given choice to stay where they are while still receiving security patches
Departure from Apple’s usual iron-fist approach to iPhone software
With the launch of iOS 15, Apple will give users the option to upgrade to the latest software or stick with iOS 14 while continuing to receive crucial security updates.
“You can update to the latest version of iOS 15 as soon as it’s released for the latest features and most complete set of security updates. Or continue on iOS 14 and still get important security updates until you’re ready to upgrade to the next major version.”
China’s ISCAS to build 2,000 RISC-V laptops by the end of 2022 as nation seeks to cut reliance on Arm, Intel chips
Software porting efforts aim to make sure Android, Linux, Firefox, and Chrome work well ahead of time
The Institute of Software at the Chinese Academy of Sciences (ISCAS) is working to build 2,000 laptops using the free and open-source RISC-V instruction set architecture by the end of next year, as the nation looks to reduce its reliance on foreign technology giants like Arm and Intel.
First developed at the University of California, Berkeley, in 2010, RISC-V is an open-source alternative to proprietary processor architectures including Arm and x86. Anyone is free to build chips based on RISC-V, which can themselves be open or closed source, and anyone can modify or extend the architecture as they see fit.
Those freedoms have been of particular interest to China since former US president Donald Trump launched a trade war in 2018 which hit Chinese technology companies with punitive tariffs and outright trade embargoes – including the potential for companies like Huawei to be cut off entirely from the Arm and Intel intellectual property that powers their devices.
Door-opening insect mega-swarm emerges in Eastern US, descends on Washington DC
We’re gonna need a bigger rolled-up newspaper
However, a new source of potential doom has now quite literally emerged in the Eastern US. Observers there have been preparing for the appearance of the cicada swarm referred to as Brood X – also known as the Great Eastern Brood – for some time, a task made much easier by this particular group’s well-documented 17-year life cycle.
But the billions-strong hexapod hordes have never displayed any intent to upset the natural order and take over the world. Until now.
Generous Alibaba to scatter 0.9% of annual revenue over Southeast Asia to develop tech talent and infrastructure
Also announces buttload of new products at Cloud Summit event
Alibaba proclaimed at its Cloud Summit 2021 that it is ploughing $1bn into “Project AsiaForward”, an initiative focused on expansion and development in Southeast Asia.
The project includes training, partnerships with universities, and infrastructure development.
The Chinese e-commerce company said today it hoped the cash pot would “cultivate a million-strong digital talent pool, empower 100,000 developers and the growth of 100,000 technology startups in Asia Pacific (APAC) over the next three years.”
Cryptography whizz Phil Zimmermann looks back at 30 years of Pretty Good Privacy
The highs, the lows, the acquisitions, the resignations, and more
Encryption and verification package Pretty Good Privacy (PGP) has celebrated a troubled 30 years of securing secrets and giving cypherpunks an excuse to meet in person, with original developer and security specialist Phil Zimmermann toasting a world where encryption is common but, he warns, still under threat.
“It was on this day (6 June) in 1991 that Pretty Good Privacy was uploaded to the Internet,” Zimmermann wrote in a piece published over the weekend. “I had sent it to a couple of my friends for distribution the day before. This set in motion a decade of struggle to end the US export controls on strong cryptographic software.
“I became the target of a criminal investigation for violating the Arms Export Control Act by allowing PGP to spread around the world. This further propelled PGP’s popularity. The government dropped the investigation in early 1996, but the policy debate raged on, until the US export restrictions finally collapsed in 2000. PGP ignited the decade of the Crypto Wars, resulting in all the western democracies dropping their restrictions on the use of strong cryptography. It was a storied and thrilling decade, and a triumph of activism for the right to have a private conversation.”
Apple ditches support for pre-2015 MacBook Air, Pro laptops with macOS Monterey
But it seems the iPhone 6 and SE will be looked after until the end of time
With the launch of MacOS Monterey, Apple plans to ditch support for a slew of machines, including all MacBook Air and MacBook Pro laptops released prior to 2015.
Things are rosier on the mobile front, with Apple committing to ship its latest-and-greatest iOS 15 on the first-generation iPhone SE, iPhone 6s, and larger iPhone 6s Plus. Each of these devices was released in 2015.
Apple has historically provided support for iOS devices long after their initial release, in start contrast to how most Android vendors do business. Although some come close (with Samsung and Fairphone both good examples), these are rare exceptions.