Multiple Vulnerabilities Found in FreeRTOS
zLabs researcher Ori Karliner has found [1] multiple critical vulnerabilities in the open source real-time embedded operating system FreeRTOS.
“During our research, we discovered multiple vulnerabilities within FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS,” wrote Karliner in a blog post.
Karliner said that these vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it.
FreeRTOS is a popular option for IoT and embedded devices. It has been ported to over 40 pieces of hardware. The vulnerability affects FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, WHIS OpenRTOS, and SafeRTOS (With WHIS Connect middleware TCP/IP components) .
zLabs informed AWS about the flaws and worked with AWS to patch these vulnerabilities. AWS has already deployed patches for AWS FreeRTOS versions 1.3.2 and onwards.