Security researcher Ori Karliner, of Zimperium’s zLabs, has warned of a range of vulnerabilities in the popular open-source FreeRTOS real-time operating system kernel – and with remote code execution possible, developers using the platform are urged to patch.
Made available under the MIT Licence, FreeRTOS supports a wide range of platforms and its small size combined with the provision of pre-written configurations and demonstrations for all supports ports and compilers has made it a popular choice for embedded developers. Sadly, that very popularity means that a selection of remote code execution vulnerabilities – which allow attackers to execute arbitrary code over a remote network connection – is of serious concern.
“During our research, we discovered multiple vulnerabilities within FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS/SafeRTOS,” writes Ori Karliner of the security flaws. “These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it.”
Following the discovery of the vulnerabilities, Ori and colleagues at zLabs communicated details of the flaw to project maintainer Amazon which has now patched the issues in FreeRTOS version 1.3.2 and above. “Since this is an open source project,” Ori adds, “we will wait for 30 days before publishing technical details about our findings, to allow smaller vendors to patch the vulnerabilities.”
More information on the discovery is available on the Zimperium blog, along with an email address to contact the company if you believe you have shipped a product with a vulnerable version of FreeRTOS.