IoT Security
Cisco | September 14, 2023
Cisco disclosed eight vulnerabilities in the OAS platform’s engine configuration management functionality.
Three of the eight detected vulnerabilities were rated as high-severity.
The issues detected in OAS platform v18.00.0072 were addressed and, v19 was released.
Cisco's Talos security researchers have identified eight vulnerabilities in the Open Automation Software (OAS) Platform that can be exploited to bypass authentication, disclose sensitive information, and overwrite files. The OAS Platform is commonly used to facilitate communication and data transfer between servers, industrial control systems (ICS), IoT devices, and other hardware in industrial and enterprise settings.
The OAS Platform is widely deployed in industrial operations, enterprise environments, and cross-platform integrations. It plays a crucial role in facilitating communication and data exchange across various devices and systems, facilitating logging and notifications. The vulnerabilities pose a significant security risk, especially in environments where the OAS Platform is used for critical industrial and enterprise operations. Unauthorized access and data breaches can lead to operational disruptions and potentially compromise sensitive information.
Among the eight vulnerabilities, three are rated as high-severity. Cisco's Talos security researchers were responsible for discovering and disclosing these vulnerabilities. The most critical issues are CVE-2023-31242 and CVE-2023-34998, both of which are authentication bypass flaws. CVE-2023-31242 can be triggered through a sequence of requests, while CVE-2023-34998 can be exploited by sniffing network traffic. The identified vulnerabilities in the OAS Platform mainly revolve around authentication bypass, information disclosure, and file manipulation. Attackers could leverage these weaknesses to create new users, gain unauthorized access, decrypt sensitive information, and perform arbitrary file and directory actions.
These vulnerabilities essentially allow attackers to gain unauthorized access to the system by loading and saving configurations to a disk and installing them on other devices. The issues were identified in OAS Platform version 18 and have been addressed in the subsequent release, version 19.00.0000, highlighting the importance of keeping software up-to-date to mitigate security risks.
These issues stem from the fact that when the OAS engine is deployed, by default, no admin user is defined and no authentication is required to access functionality such as new user creation. Even if an admin user is created, the configuration must be stored prior to restarting the engine, or it will revert to its default state. An attacker can create a new user, save the changes, and thus gain access to the underlying system.
Also, the vulnerability enables an attacker to acquire a protobuf containing valid admin credentials and construct their own requests. The perpetrator could then again obtain access to the underlying system by utilizing the user creation and saving functionality. Cisco warns that these authentication bypass flaws could be combined with CVE-2023-34317, an improper input validation flaw in the user creation functionality, to gain access to the underlying system by adding ‘a user with the username field containing an SSH key.’
CVE-2023-34353 is another high-severity authentication bypass that allows an attacker to perform network snooping to acquire the protobuf containing admin credentials and then decrypt sensitive information. While two of the remaining vulnerabilities could result in information disclosure, the other two could be exploited to create or overwrite arbitrary files and create arbitrary directories.
Read More
Industrial IoT
Business Wire | September 29, 2023
Cadence Design Systems, Inc. (Nasdaq: CDNS) today announced the availability of new system prototyping flows based on the Cadence® Integrity™ 3D-IC Platform that support the 3Dblox 2.0 standard. The Integrity 3D-IC Platform is fully compliant with the 3Dblox 2.0 standard language extensions, and the flows have been optimized for all of TSMC’s latest 3DFabric™ offerings, including Integrated Fan-Out (InFO), Chip-on-Wafer-on-Substrate (CoWoS®) and System-on-Integrated-Chips (TSMC-SoIC®) technologies. Through this latest collaboration between Cadence and TSMC, customers creating AI, mobile, 5G, hyperscale computing and IoT 3D-IC designs can model system prototypes to accelerate design turnaround time.
Prototyping requires two different types of feasibility-checking methods across the various 3DFabric technologies—coarse-grained feasibility for thermal and EM-IR analysis, and fine-grained feasibility for die-to-die connections. Coarse-grained feasibility is enabled through a system-level tool integration with the Integrity 3D-IC Platform, featuring Voltus™ IC Power Integrity Solution and Celsius™ Thermal Solver, providing seamless prototyping for all TSMC’s latest 3DFabric configurations. Fine-grained feasibility is enabled through a silicon routing solution as well as joint collaboration on the development of a next-generation auto-router for 3DFabric technologies, which includes performance-boosting prototyping capabilities that support TSMC’s InFO and CoWoS offerings, enabled through the Integrity 3D-IC platform.
The Integrity 3D-IC platform is certified for use with TSMC’s 3DFabric and the 3Dblox 2.0 specification. The platform combines system planning, implementation and system-level analysis in a single platform, and due to the shared infrastructure between Cadence 3D design and system analysis tools, customers can perform feasibility-checking much more efficiently. In addition, Cadence Allegro® X packaging solutions have been enhanced with advanced InFO-specific design rule checking (DRC).
The flows supporting the 3Dblox 2.0 standard provide chiplet mirroring, which lets engineers reuse chiplet module data, improving productivity and performance. In addition, the flows provide inter-chiplet DRC through the Cadence Pegasus™ Verification System, which helps designers create an inter-chiplet CAD layer for DRC automatically.
With multiple packaging options available for implementation of multi-die designs, early prototyping and feasibility studies are becoming increasingly important, said Dan Kochpatcharin, head of the Design Infrastructure Management Division at TSMC. Through our continued collaboration with Cadence and with the addition of the latest prototyping features that support the 3Dblox 2.0 standard, we’re enabling customers to leverage our comprehensive 3DFabric technologies and the Cadence flows to significantly improve 3D-IC design productivity and time to market.
“The Cadence Integrity 3D-IC Platform is the unified solution that provides an efficient way for customers to leverage the new 3Dblox 2.0 prototyping capabilities to create leading-edge 3D-IC designs using TSMC’s 3DFabric technologies,” said Dr. Chin-Chi Teng, senior vice president and general manager in the Digital & Signoff Group at Cadence. “By working closely with TSMC, customers adopting our new flows for use with 3Dblox 2.0 standard can accelerate the pace of innovation with next-generation multi-chiplet designs.”
The Cadence Integrity 3D-IC Platform includes Allegro X packaging technologies and is part of the company’s broader 3D-IC offering. The offering aligns with the Cadence Intelligent System Design™ strategy, enabling customers to achieve system-in-package (SiP) design excellence. For more information on the Integrity 3D-IC platform, please visit www.cadence.com/go/integrity3dblox2.
Read More
Enterprise Iot
Business Wire | October 20, 2023
Tavant, Silicon Valley’s leading digital lending solutions provider, today announced at the MBA's Annual Convention & Expo in Philadelphia, the launch of Data Beats™, a groundbreaking data platform that promises to redefine the financial services landscape. Built to inform, provide insights, act, recommend, and predict, Data Beats ushers in a new era of data-driven intelligence for the industry.
This versatile platform empowers businesses to harness the power of their data and maximize its value, effectively taking the stress out of data management. Key benefits of Data Beats include:
Provides actionable data insights that work for your business;
Analyzes data from various aspects of your operations;
Adapts and learns from your data to provide real-time recommendations; and
Looks into the future, learns and predicts trends.
Data Beats is a platform offering within Tavant's banking and financial services suite of technology products. Data Beats is set to serve as the analytics and IoT engine for the financial services industry, initially focusing on mortgage and home equity products. Tavant plans to extend this robust data ecosystem to all consumer loans and banking products, making it a comprehensive solution for financial institutions.
With Data Beats, Tavant empowers financial institutions towards proactive rather than reactive operations by incorporating generative AI to prompt users on the best course of action. This revolutionary approach allows the platform to offer precise recommendations for loan officers, consumers, processors, and underwriters, enhancing the overall efficiency of the lending process.
Abhinav Asthana, Fintech Product Business and Growth Leader at Tavant said, Tavant's mission is to stay at the forefront of innovation and to be the engineering partner of choice in the financial services industry. Data Beats exemplifies our commitment to providing our customers with an advanced platform that accelerates their vision to transform into a data-first organization. We are proud to launch this platform, which brings insights, intelligence, and efficiency to the heart of the lending process.
Data Beats has already started demonstrating its value within Tavant's existing customer base by enhancing and automating the home buying experience. By consolidating data from various stages of the customer journey, from acquisition to servicing and beyond, Data Beats provides invaluable insights that can be used to predict future behavior, optimize operations, and improve overall business performance. The system's foundation, the data lake, can ingest a wide range of data inputs, limited only by the specific business problem it aims to solve. This flexibility positions Data Beats to become a game-changing tool for a wide range of industries beyond mortgage and lending.
Read More