Critical vulnerabilities on FreeRTOS expose many systems to attacks

FreeRTOS vulnerability

Amazon recently fixed 13 security vulnerabilities in the Internet of Things operating system FreeRTOS and the AWS connectivity module. These vulnerabilities could cause an intruder to compromise a device, divulge in-memory content, and run code remotely, giving the attacker complete control over the device. These vulnerabilities can have serious implications if not fixed. FreeRTOS, and a similar safety-oriented product, SafeRTOS, are widely used in a variety of devices, including automobiles, aeroplanes, and medical devices, both inside and outside the home.

Image: By UnknownUnknown author (nicht angegeben) [Public domain], via Wikimedia Commons

CVE List:

CVE Description
CVE-2018-16522 Remote code execution
CVE-2018-16525 Remote code execution
CVE-2018-16526 Remote code execution
CVE-2018-16528 Remote code execution
CVE-2018-16523 Denial of service
CVE-2018-16524 Information leak
CVE-2018-16527 Information leak
CVE-2018-16599 Information leak
CVE-2018-16600 Information leak
CVE-2018-16601 Information leak
CVE-2018-16602 Information leak
CVE-2018-16603 Information leak
CVE-2018-16598 Other

According to FreeRTOS’s open source agreement, Zimperium, which found these vulnerabilities, provided technical details only 30 days after the vulnerability was disclosed. This will give the relevant vendors an opportunity to fix these vulnerabilities.

This kind of vulnerability disclosure is not uncommon, but it is a relatively new job for Amazon. A year ago, in November 2017, AWS took over the core of FreeRTOS. This is a test of the ability to deal with the Amazon problem, and it seems that Amazon seems to have passed the test.