Multiple TCP/IP Vulnerabilities in AWS FreeRTOS -- FutureTech360

Multiple TCP/IP Vulnerabilities in AWS FreeRTOS

By Gladys Rama
10/18/2018

Researchers from Dallas, Texas-based Zimperium this week sent out a warning regarding several TCP/IP vulnerabilities within the Amazon Web Services (AWS) version of the FreeRTOS operating system for Internet of Things (IoT) devices.

Zimperium's research arm, zLabs, discovered the vulnerabilities as part of an ongoing study of IoT platforms.

According to the zLabs' researchers, "multiple vulnerabilities" in the FreeRTOS TCP/IP stack can "allow an attacker to crash the device, leak information from the device's memory, and remotely execute code on it, thus completely compromising it."

FreeRTOS is an open source platform for microcontrollers used in IoT systems.

AWS took stewardship of FreeRTOS last year, building on the original kernel to include integration with AWS cloud services, such as AWS IoT Core and AWS Greengrass.

AWS' version of FreeRTOS is designed simplify the device management for developers in the IoT space, according to its info page:

Microcontrollers frequently run operating systems which do not have built in functionality to connect to local networks or the cloud, making IoT applications a challenge. Amazon FreeRTOS helps solve this problem by providing both the core operating system (to run the edge device) as well as software libraries that make it easy to securely connect to the cloud (or other edge devices) so you can collect data from them for IoT applications and take action.

There are also two other versions of FreeRTOS affected by Zimperium's findings, both developed by Wittenstein High Integrity Systems (WHIS): OpenRTOS and SafeRTOS.

In total, the researchers found 13 vulnerabilities ranging from remote code executions, denial-of-service attacks and data leaks. They are as follows:

Remote code executions: CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, CVE-2018-16528
Denial-of-service: CVE-2018-16523
Data leaks: CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, CVE-2018-16603
"Other": CVE-2018-16598

The vulnerabilities were located in "FreeRTOS's TCP/IP stack and in the AWS secure connectivity modules," Zimperium researcher Ori Karliner said in a blog post. "The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS."

Zimperium noted that the IoT devices that use these operating systems are prevalent in many industries -- including health care, aerospace and automotive -- that are considered "high risk," making these vulnerabilities especially damaging if exploited.

Karliner said Zimperium has been working with AWS and WHIS to disclose and patch the affected FreeRTOS versions.

About the Author

Gladys Rama (@GladysRama3) is the editorial director of Converge360.

Featured White Papers

Featured

Japanese Robotics Startup Develops Smart Mask for Voice-to-Text Translations

The world's first "smart mask" fits over a standard medical mask and translates eight languages.
NSF Establishes 3 Institutes to Address "Quantum Computing Challenge"

The U.S. National Science Foundation (NSF) is establishing three new institutes "designed to have a tangible impact" on the challenges presented by quantum computing over the next five years.
Microsoft Enhances IoT Security with CyberX Acquisition

Microsoft acquires industrial cybersecurity company CyberX for IoT/OT security.
Ethereum Blockchain Solutions Provider ConsenSys Acquires Fluidity

ConsenSys, a New York-based provider of full-stack Ethereum blockchain solutions, has announced the acquisition of "the team and technology" of its joint venture partner Fluidity, a Brooklyn-based blockchain technology company.

Advertise