Gerben Dierick (VRT), co-chair of the EBU Media Cybersecurity group
In October 2022, security researchers discovered a severe problem with IBM’s Aspera software, a specialized file-transfer solution popular with media organizations. Attackers could trick any Aspera server into executing whatever they wanted, without even having access to an account on the system. Since these servers are very often reachable from anywhere on the internet, the flaw allowed anyone to take control of Aspera servers and use them as a stepping stone to attack the internal network of an organization.
Programming or configuration mistakes are likely to be present in almost any system, potentially causing undesired behaviour. When such a flaw allows intentional abuse, it becomes a vulnerability.
In the cybersecurity world, vulnerabilities are assigned a Common Vulnerability Exposure (CVE) ID. The Aspera vulnerability is known as CVE-2022-47986, with a severity score of 9.8 out of 10.
Any computer or smartphone user knows regular and sometimes urgent security updates are part of the game. Broadcast equipment is no exception. Preventive measures like staff training, code reviews and thorough testing will help, but vulnerabilities will still be found. Both manufacturers and users must be prepared to deal with them.
In 2022, a total of 25,000 CVEs were published. Luckily, only a small fraction of these vulnerabilities resulted in significant risk. The potential damage depends on how easy a vulnerability is to exploit, what access is granted to an attacker and how the system is used.
As with any bug, when a vulnerability is reported to the manufacturer, a fix must be made available. But with a high-risk vulnerability, this can be very urgent, especially if the issue is publicly known. The manufacturer will also have to warn all known users of the product and inform them of the steps to take to prevent abuse.
Warning the users
When the exploit for the Aspera vulnerability was publicly disclosed, the EBU’s Media Cybersecurity group (MCS) felt IBM was not doing enough to warn its customers. It proved very easy to use specialized search engines to find vulnerable systems all over the world. But the hard part was reaching the owners of those systems to warn them. Where there was a clear security-contact procedure in place, the risk was quickly averted. Without such a security contact, we had to resort to sending a warning to a generic email address or through a contact form found on the website. Unfortunately, most of these messages were ignored. Several media organizations suffered extensive damage after malicious attackers abused the vulnerability.
Because of the potential urgency, the process of validating a reported vulnerability, assessing the risk, warning all users and expediting a fix needs to be the result of a regular, well-rehearsed and preferably at least partially automated process.
Any organizations using information systems should also be prepared. When they are warned of a serious vulnerability, assessing their exposure and implementing any fix or workaround as soon as possible should be second nature.
Clearly, this all works best if both manufacturers and customers have clearly defined cybersecurity roles and responsibilities, are well prepared, and have established direct communication channels between the right people in both organizations.
We cannot completely prevent vulnerabilities in products, which means we must be prepared to deal with them. The Aspera case shows there is still room for improvement with the vendors and media organizations.
Vulnerability checklist
EBU MCS recommends EBU Members and their suppliers to:
- Set up a way for anyone to report vulnerabilities to your organization and put in place a responsible disclosure policy
- Assign a cybersecurity role and put in place vulnerability management
- Assess potential suppliers on their vulnerability management procedures
- Test equipment for known vulnerabilities during development, procurement and production use
This article first appeared in issue 56 of EBU tech-i magazine.