2024年11月9日 星期六

IoT 開發筆記 - 關於歐盟 無線電設備指令 (Radio Equipment Directive, RED) RED-DA 對於聯網設備的資安自我檢查辦法

這兩年英國、新加坡、歐盟都有滿多資安相關的議題,例如英國 Product Security and Telecommunications Infrastructure (PSTI) 產品安全和電信基礎設施法案在 2024.04 生效,現在則幫忙公司處理歐盟 2025年夏天要推進的無線設備指令—委託法案 (Radio Equipment Directive – Delegated Act, 簡稱 RED-DA )

已知的粗略資訊:

  • 商品若有聯網功能,需要依照 RED-DA 的要求自我檢驗一番,才能把商品賣進歐盟國家
  • 尚未有中央單位負責檢驗,各大品牌找一些值得信任檢驗單位,請他們檢驗商品出檢驗報告,未來商品進歐盟時,被要求提供報告時,可以拿出來用
因此,產品負責人或銷售業務,其實要做的是趕緊找一間信任的資安檢驗公司,提出商品檢驗的需求,價格通常也不便宜,最重要檢驗的時程也不短,通常簽約繳件後也要數個月才會產出報告的,而報告其實是會高度依賴商品的使用情境跟品牌/廠牌,基本上代工廠不能公版做完一份就沒事,是品牌商也得依序產報告(找同一間資安公司,應當有些優惠吧?可以讓資安公司省去摸索商品,且相似的商品可以讓驗證機制加速)

總之,就會進行一些聯網設備(IoT)的處理,通常,資安公司也高度依賴產品公司的 IT 部門或負責研發的開發者提供的資訊。

為了加速檢驗報告的產生,公司可以先自行體檢:
  • 使用 OpenVAS Scanner 等類似工具對聯網設備進行弱點掃描
  • 請開發者整理產品用到了相關 libraries ,透過 CVE 資料庫進行查詢,若發現有漏洞就評估該怎樣更新
  • 若像 WIFI AP 提供 http://192.168.1.1 登入後台使用,那至少必須改提供 https://192.168.1.1 自簽憑證方案
由於檢驗報告項目眾多,單純先列一下可以自我檢驗的部分,其他的部分,還是交給資安業者,讓專業的來吧

筆記一下,怎樣用 OpenVAS 來掃設備,當然,這是個 Docker 當道的時代,直接跑 Docker 即可,收工(誤),實測在 macOS 15 和 Windows 11 都可以正常運作的:

C:\Users\User>docker run -p 8443:443 --name openvas mikesplain/openvas

Unable to find image 'mikesplain/openvas:latest' locally

latest: Pulling from mikesplain/openvas

34667c7e4631: Pull complete

d18d76a881a4: Pull complete

119c7358fbfc: Pull complete

2aaf13f3eff0: Pull complete

67b182362ac2: Pull complete

c878d3d5e895: Pull complete

ec12cc49fe18: Pull complete

c4c454aeebef: Pull complete

27d3410150b2: Pull complete

e08d578dc278: Pull complete

44951337cd32: Pull complete

8c7fe885e62a: Pull complete

a4f833680e45: Pull complete

Digest: sha256:23c8412b5f9f370ba71e5cd3db36e6f2e269666cd8a3e3e7872f20f8063b2752

Status: Downloaded newer image for mikesplain/openvas:latest

Testing redis status...

Redis not yet ready...

Redis ready.

Checking for empty volume

Restarting services

 * Restarting openvas-scanner openvassd

   ...done.

 * Restarting openvas-manager openvasmd

   ...done.

 * Restarting openvas-gsa gsad

   ...done.

Reloading NVTs

Rebuilding NVT cache... done.

Checking setup

openvas-check-setup 2.3.3

  Test completeness and readiness of OpenVAS-9


  Please report us any non-detected problems and

  help us to improve this check routine:

  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss


  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.


  Use the parameter --server to skip checks for client tools

  like GSD and OpenVAS-CLI.


Step 1: Checking OpenVAS Scanner ...

        OK: OpenVAS Scanner is present in version 5.1.3.

        OK: OpenVAS Scanner CA Certificate is present as .

...

接著就在本機開啟 https://localhost:8443/ 來運作:

添加一則 task (左上角的紫色 icon ) -> 指定設備的 IP -> 右下角有 Actions 記得按下 Play icon 


運行好一陣子後,就會看到一些報告了,像是幫你檢驗 Web server 的版本是否有漏洞、網頁上是否有需要更新的 js libraries,例如:


至於嵌入式系統內部的自我檢查,其實可以善用美國國家單位提供的服務: nvd.nist.gov/vuln/search


在那邊去輸入資訊查詢,像是 curl 啊,等等


當然,這邊純人工檢查極累 Orz 所以,也有 API 服務可以申請,就能夠批次詢問了,細節請參考:

最後,把玩一下小工具:pypi.org/project/cve-vulnerability-scanner/

% NVD_API_KEY='XXXX-XXXX-XXXX-XXXX' cve-vulnerability-scanner -p zlib -v 1.2.13 -o /tmp/output.md ; cat /tmp/output.md 


Scanning zlib version 1.2.13

Loading cached data for zlib


Scan complete. Report generated in /tmp/output.md

# Security Vulnerability Report

Generated on: 2024-11-09 08:53:47


## zlib 1.2.13


### CVE-2023-45853

Severity: CRITICAL

CVSS Score: 9.8

Version Range: * to 1.3

Published: 2023-10-14T02:15:09.323

Last Modified: 2024-08-01T13:44:58.990

Description: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.


### CVE-2023-48106

Severity: HIGH

CVSS Score: 8.8

Version Range: * to *

Published: 2023-11-22T18:15:09.630

Last Modified: 2023-12-02T00:27:03.327

Description: Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an attacker to execute arbitrary code via a crafted file to the mz_path_resolve function in the mz_os.c file.


### CVE-2023-48107

Severity: HIGH

CVSS Score: 8.8

Version Range: * to *

Published: 2023-11-22T23:15:10.663

Last Modified: 2023-12-27T04:15:07.277

Description: Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an attacker to execute arbitrary code via a crafted file to the mz_path_has_slash function in the mz_os.c file.


### CVE-2023-6992

Severity: MEDIUM

CVSS Score: 5.5

Version Range: * to 2023-11-16

Published: 2024-01-04T12:15:23.690

Last Modified: 2024-01-10T01:14:35.027

Description: Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow.

A local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software.

Patches: The issue has been patched in commit  8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected.



### CVE-2003-0107

Severity: UNKNOWN

CVSS Score: 0.0

Version Range: * to *

Published: 2003-03-07T05:00:00.000

Last Modified: 2022-06-22T16:40:46.327

Description: Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.


### CVE-2004-0797

Severity: UNKNOWN

CVSS Score: 0.0

Version Range: * to *

Published: 2004-10-20T04:00:00.000

Last Modified: 2022-06-22T16:40:46.360

Description: The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).


### CVE-2005-2096

Severity: UNKNOWN

CVSS Score: 0.0

Version Range: * to *

Published: 2005-07-06T04:00:00.000

Last Modified: 2022-06-22T16:40:46.413

Description: zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.


### CVE-2005-1849

Severity: UNKNOWN

CVSS Score: 0.0

Version Range: * to *

Published: 2005-07-26T04:00:00.000

Last Modified: 2022-06-22T16:40:46.380

Description: inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.


### CVE-2009-1391

Severity: UNKNOWN

CVSS Score: 0.0

Version Range: * to 2.015

Published: 2009-06-16T23:30:00.203

Last Modified: 2018-10-03T22:00:28.997

Description: Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.


### CVE-2009-1391

Severity: UNKNOWN

CVSS Score: 0.0

Version Range: * to *

Published: 2009-06-16T23:30:00.203

Last Modified: 2018-10-03T22:00:28.997

Description: Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.

這工具純把玩,困難之處就是做 version 和 library name 比對,這工具純示意,仍有非常大進步的空間,甚至該把這空間交給專業的資安公司就好,畢竟這是個分工的時代,且需要大量的人力檢視 Orz

沒有留言:

張貼留言