Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Software Vulnerability Report

23 januari 2023

In today's digital age, cybersecurity threats have become a pervasive concern for businesses and individuals alike. Cybercriminals are continually seeking out new vulnerabilities to exploit in software and other computer systems, and organizations must remain vigilant in protecting their sensitive data from these threats.

One way that cybersecurity researchers and vendors help protect against these threats is by identifying and reporting potential vulnerabilities in software. These reports are often referred to as "software vulnerability report," and they play a critical role in maintaining the security of digital systems.

A software vulnerability report is a statement made by a security researcher or vendor about a potential weakness or flaw in software that could be exploited by attackers to compromise the security of the system. These reports may describe specific vulnerabilities, how they could be exploited, and their potential impact on the system.

Software vulnerabilities can arise from a variety of factors, including coding errors, design flaws, or other issues. They can be challenging to identify, as cybercriminals often use sophisticated methods to exploit them. However, once a vulnerability has been identified, it can often be addressed through patches, updates, or other security measures.

DataDiode

A DataDiode is a hardware device that provides an effective means of protecting sensitive information from potential threats. By allowing data to flow in only one direction, from a high-security network to a lower-security network, or the other way around, it prevents any data from being sent back in the opposite direction, and provides a level of assurance that no software-only solution can match. This ensures that sensitive information cannot be compromised by external attacks or internal malfeasance.

To maintain the protocols that go through the Diode, software is often used in conjunction with the hardware. The system is responsible for controlling the flow of data and ensuring that it is transmitted from one network to another. It may also be eligible for implementing additional security measures, such as encryption, filtering or authentication, to further protect the data as it passes through the Diode.

Overall, the combination of hardware and software provides a robust and effective means of protecting sensitive information from potential threats. By utilizing a DataDiode and the appropriate software, organizations can significantly reduce their risk of cyber attacks and maintain the security of their digital systems.

Vulnerabilities in the Fox DataDiode Core software

We recently underwent an external audit of our software. The results have shown that a few vulnerabilities were found in version 3.4.3 and prior versions of the Fox DataDiode Core software. Even though this has never compromised the confidentiality or integrity of the DataDiode itself, we take these findings seriously and have already taken steps to address them.

We would like to extend our sincere gratitude to Ianis Bernard from NATO, who discovered these vulnerabilities and reported them to us on July 13th, 2022. We appreciate the time and effort that went into identifying these issues, and we are pleased to report that all of the identified vulnerabilities have now been fixed in version 3.4.4.

The vulnerabilities that were discovered and fixed are as follows:

  • Path traversal vulnerability (CWE-22): This vulnerability could potentially allow an attacker to gain access to files and folders outside of the target directory. We have implemented a fix to validate that the absolute path is within the correct folder. This vulnerability would only have an impact if file transfers were enabled.
  • Divide by zero (CWE-369): This vulnerability could allow an attacker to crash downstream by sending a specifically crafted UDP packet. We have addressed this issue by ignoring these packets.
  • Outdated software in use (CWE-1329): Our software was using an old version of the NET-SNMP library. While we are pleased to report that no exploits were found in our software in combination with this library, we have still updated the library to ensure that we are using the most secure version available.

We would like to reiterate that all of the identified vulnerabilities have been fixed, with core version 3.4.4 addressing both the divide by zero and path traversal vulnerabilities (CVE-2022-47525 and CVE-2022-47526, respectively) and also the outdated software in use (CWE-1329). We understand that the safety and security of our customers' data is of utmost importance, and we are committed to maintaining the highest levels of security in our products.

Please be informed that this was an external audit, and we are pleased to report that only a few vulnerabilities were found. The vulnerabilities were identified and addressed quickly, with all fixes implemented by August 26th, 2022 - less than a month after we received the report. Even though the core functionality of the DataDiode was not compromised, i.e. in no scenario any form of data leakage would have been possible, we took these findings seriously and have taken steps to address them.

In conclusion, we would like to thank NATO for their support in identifying these vulnerabilities and we would like to assure our customers that we take their security very seriously. We will continue to monitor our products and take proactive measures to ensure that they continue to meet the highest security standards.