Multiple serious vulnerabilities have been discovered within FreeRTOS, a real-time operating system kernel used in large number of internet-connected devices.
FreeRTOS is used in nearly 40 hardware platforms. Amazon Web Services (AWS) took stewardship for the FreeRTOS kernel and its components in late 2017.
According to Zimperium zLabs research, the FreeRTOS vulnerabilities could put a “wide range of devices at risk of compromise,” ranging from smart home devices to critical infrastructure systems.
zLabs disclosed 13 vulnerabilities within FreeRTOS:
“During our research, we discovered multiple vulnerabilities within FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS.
These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it.”
zLabs disclosed the vulnerabilities to Amazon and has continued to work with the company to produce patches to fix the detected vulnerabilities.
The vulnerabilities include remote code execution (4), denial of service (1), information leakage (7) and one bug classified as ‘Other.’
zLabs added that the patches were deployed for AWS FreeRTOS versions 1.3.2 and onwards.