[Dev] A security researcher has found 40 unknown zero-day vulnerabilities in Tizen
c.haitzler at samsung.com
Thu Apr 6 08:12:04 GMT 2017
On Thu, 6 Apr 2017 08:52:11 +0200
Dominig Ar Foll <dominig.arfoll at fridu.net> wrote:
> I would like to know what response Tizen has to provide to the
> affirmation from Israeli researcher Amihai Neiderman reported in the
> specialised web site Motherboard.
> I believe that it would be important to have a clear visibility of
> what needs to be improved in the Tizen code going forward. As an
> indirect user of Tizen technologies (AGL reuse Smacks and Cynara), I
> am less concerned by the correction of the existing devices, as I feel
> that it's more a commercial issue even if poor old devices can damage
> the image of the OS and so the technologies that it uses.
> But extracting a todo list from the finding reported would be very
> valuable for all of us.
The researcher has not provided a clear list of the 40 issues he
claimed so far. We only have his slides which I quote him:
"It contains some of the vulnerabilities I have found. it mostly talks
about pitfalls, so don't expect to find here all of the actual
vulnerabilities or that they are all exploitable.".
So far we only received some details on the last one mentioned in his
slides yesterday and below is the gerrit action fixing it so far. Note
that it has nothing to do with strcpy and it's a result of some subtle
behaviour of sscanf that still validly scanf's without error when asked
to scan 2 hex digits (see review comments). This leads to skipping past
the end of the input buffer etc.
The first 49 slides of the 67 slide deck contain no actual details.
All the issues other than the single one above are in the Tizen
Appstore client code inside the code that fetches/downloads data from
the Appstore and one mention of "Samsung cloud" app. Only the above
gerrit issue was a Tizen platform issue. The rest were product specific
code (Appstore and cloud app are not platform things). So I think
whatever articles have been published are, so far, major hyperbole and
don't differentiate between platform and product apps. Of course I
don't think it's fair to assume such differentiation can be made by
people not "in the know".
I am not sure I can share the slides I have as they are not mine to
share, but the above is my summary. The slides surely don't list 40
exploitable bugs. If they listed them I'd be far happier.
Now I've covered that, let me say that having security issues in code
that drives a platform OR products is not a good thing. I wish he'd
actually filed bugs on http://bugs.tizen.org 8 months ago. Every
platform and software has bugs. Every minor update of Android, iOS,
Windows, and many more OS's fix dozens if not hundreds of CVE's and
this is a fact of life. Some are buffer overflow types, and some are
something else. The practical way to deal with these is to address them
as soon as they are found, fix them and issue updates. In this case
something broke down in communication. The details of why, I don't
Security vulnerabilities are a serious issue. Be they in inherited open
source code, in code written for Tizen as a platform OR for specific
products. I take these seriously. Perhaps we need to make it more
obvious as to where to report such issues responsibly to ensure they
get fixed in advance. Either way, just like all other operating systems
and software projects, there will be issues and some may affect the
security of users and systems, and such issues should be fixed ASAP. We
already have started given what information we have, but we have very
little. We're trying to get more.
More information about the Dev