Critical vulnerabilities on FreeRTOS expose many systems to attacks
Amazon recently fixed 13 security vulnerabilities in the Internet of Things operating system FreeRTOS and the AWS connectivity module. These vulnerabilities could cause an intruder to compromise a device, divulge in-memory content, and run code remotely, giving the attacker complete control over the device. These vulnerabilities can have serious implications if not fixed. FreeRTOS, and a similar safety-oriented product, SafeRTOS, are widely used in a variety of devices, including automobiles, aeroplanes, and medical devices, both inside and outside the home.
Image: By UnknownUnknown author (nicht angegeben) [Public domain], via Wikimedia Commons
CVE Description CVE-2018-16522 Remote code execution CVE-2018-16525 Remote code execution CVE-2018-16526 Remote code execution CVE-2018-16528 Remote code execution CVE-2018-16523 Denial of service CVE-2018-16524 Information leak CVE-2018-16527 Information leak CVE-2018-16599 Information leak CVE-2018-16600 Information leak CVE-2018-16601 Information leak CVE-2018-16602 Information leak CVE-2018-16603 Information leak CVE-2018-16598 Other
According to FreeRTOS’s open source agreement, Zimperium, which found these vulnerabilities, provided technical details only 30 days after the vulnerability was disclosed. This will give the relevant vendors an opportunity to fix these vulnerabilities.
This kind of vulnerability disclosure is not uncommon, but it is a relatively new job for Amazon. A year ago, in November 2017, AWS took over the core of FreeRTOS. This is a test of the ability to deal with the Amazon problem, and it seems that Amazon seems to have passed the test.