Security researchers at QAX StarV Security Lab and China Automotive Engineering Research Institute (CAERI) recently published an advisory on a vulnerability they discovered last year in Cybellum’s automotive product security platform. Designated with the identifier CVE-2023-42419, the vulnerability allows unauthorized access to the host system and retrieval of a private key for signing and encrypting shell scripts. These scripts, executed via an API call, are considered legitimate if signed with the compromised key, enabling remote code execution (RCE).
The researchers found a function called execute_rce, but it turned out to be a legitimate API within the product. However, the vulnerability arises from the ease with which the encryption key — used for signing, encrypting, and decrypting uploaded files — can be obtained. This vulnerability potentially allows for the abuse of this API to carry out malicious RCE, that is, malicious actors could exploit the vulnerability to run arbitrary code or commands. The researchers reported the vulnerability to Cybellum in June 2023, and in a security update posted on Feb. 21, Cybellum said that it had implemented a permanent fix in version 2.28 of the affected software (its QCOW air-gapped distribution, exclusively deployed in China).
Vulnerabilities that could lead to RCE were also recently identified in the IT industry, in the form of flaws in virtual private network (VPN) software products from Ivanti and in a remote desktop software product from ConnectWise. RCE represents a significant security threat as it enables attackers to gain control over remote systems, positioning it among the most critical security issues.
The potential impact of such vulnerabilities underscores the importance of continuous quality control across the overall software life cycle, from development phase to operating phase:
- Integration of automotive security and IT security. It is recommended for automotive cybersecurity product vendors to have expertise in both the automotive and IT industries to ensure the delivery of secure products and cloud services. It is also important to assess whether vendors’ product and software development projects comply with automotive and IT–related standards such as ASPICE and ISO/IEC 27017.
- Security response in action. Implementing a streamlined security incident handling process enables organizations to promptly activate relevant procedures for identifying, assessing, and addressing risks associated with security vulnerabilities across their products. This makes it easier for stakeholders to take relevant actions toward risk mitigation.
- Security at the forefront. As cybersecurity is continuously evolving, establishing a comprehensive security policy ensures that both existing employees and new hires can follow a shared policy, including cybersecurity management, cybersecurity plan guidelines, software security policy, continuous improvement programs, and continuous training programs.