FreeRTOS, the open-source operating system that powers most of the small microprocessors and microcontrollers in smart homes and critical infrastructure systems has 13 vulnerabilities, a third of them allowing remote code execution.

The vulnerabilities are in the TCP/IP stack and affect the FreeRTOS derivation maintained by Amazon and the OpenRTOS and SafeRTOS maintained by WITTENSTEIN high integrity systems (WHIS), which are variants for commercial products available under the MIT license.

13 vulnerabilities discovered

Ori Karliner at Zimperium analyzed the operating system and found that all of its varieties are vulnerable to four remote code execution bugs, one denial of service, seven information leak and another undisclosed type of security problem.

The versions affected are FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, OpenRTOS and SafeRTOS (With WHIS Connect middleware TCP/IP components).

Amazon has been notified of the situation and the company responded by releasing patches to mitigate the problems.

Zimperium is not releasing any technical details at the moment “to allow smaller vendors to patch the vulnerabilities,” a report from the company informs. The wait time expires in 30 days.

Top choice for embedded systems

FreeRTOS is a real-time operating system microkernel has been developed by chip companies for over 15 years and it is the main choice manufacturers make for their embedded devices.

It supports more than 40 hardware platforms and it powers the microcontrollers in a diverse range of products: temperature monitors, appliances, sensors, fitness trackers, industrial automation systems, cars, door locks, electricity meters, and any microcontroller-based devices.

Since FreeRTOS works at a smaller component scale, it lacks the complexity that comes with more elaborate hardware. Nevertheless, it fulfills an important function as it allows processing of data as it comes in.

About a year ago, Amazon decided to become involved in the development of the product for the Internet-of-Things segment. The company extended the kernel by adding libraries to support cloud connectivity, security and over-the-air updates.

The full list of the vulnerabilities, and their identifiers, that affect FreeRTOS:

CVE-2018-16522 Remote Code Execution
CVE-2018-16525 Remote Code Execution
CVE-2018-16526 Remote Code Eexecution
CVE-2018-16528 Remote Code Execution
CVE-2018-16523 Denial of Service
CVE-2018-16524 Information Leak
CVE-2018-16527   Information Leak
CVE-2018-16599 Information Leak
CVE-2018-16600 Information Leak
CVE-2018-16601 Information Leak
CVE-2018-16602 Information Leak
CVE-2018-16603 Information Leak
CVE-2018-16598 Other


Related Articles:

November Android Security Update Fixes Critical Bugs, Drops Media Library

Adobe Releases Security Update for Acrobat Vulnerability with Public PoC

Apache Struts Team Urges Users for Library Update to Plug Years-Old Bugs

Security Bug in Icecast Puts Online Radio Stations At Risk

Bushido-Powered DDoS Service Whipped Up from Leaked Code