Multiple TCP/IP Vulnerabilities in AWS FreeRTOS

Researchers from Dallas, Texas-based Zimperium this week sent out a warning regarding several TCP/IP vulnerabilities within the Amazon Web Services (AWS) version of the FreeRTOS operating system for Internet of Things (IoT) devices.

Zimperium's research arm, zLabs, discovered the vulnerabilities as part of an ongoing study of IoT platforms.

According to the zLabs' researchers, "multiple vulnerabilities" in the FreeRTOS TCP/IP stack can "allow an attacker to crash the device, leak information from the device's memory, and remotely execute code on it, thus completely compromising it."

FreeRTOS is an open source platform for microcontrollers used in IoT systems.

AWS took stewardship of FreeRTOS last year, building on the original kernel to include integration with AWS cloud services, such as AWS IoT Core and AWS Greengrass.

AWS' version of FreeRTOS is designed simplify the device management for developers in the IoT space, according to its info page:

Microcontrollers frequently run operating systems which do not have built in functionality to connect to local networks or the cloud, making IoT applications a challenge. Amazon FreeRTOS helps solve this problem by providing both the core operating system (to run the edge device) as well as software libraries that make it easy to securely connect to the cloud (or other edge devices) so you can collect data from them for IoT applications and take action.

There are also two other versions of FreeRTOS affected by Zimperium's findings, both developed by Wittenstein High Integrity Systems (WHIS): OpenRTOS and SafeRTOS.

In total, the researchers found 13 vulnerabilities ranging from remote code executions, denial-of-service attacks and data leaks. They are as follows:

  • Remote code executions: CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, CVE-2018-16528
  • Denial-of-service: CVE-2018-16523
  • Data leaks: CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, CVE-2018-16603
  • "Other": CVE-2018-16598

The vulnerabilities were located in "FreeRTOS's TCP/IP stack and in the AWS secure connectivity modules," Zimperium researcher Ori Karliner said in a blog post. "The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS."

Zimperium noted that the IoT devices that use these operating systems are prevalent in many industries -- including health care, aerospace and automotive -- that are considered "high risk," making these vulnerabilities especially damaging if exploited.

Karliner said Zimperium has been working with AWS and WHIS to disclose and patch the affected FreeRTOS versions.

About the Author

Gladys Rama is the senior site producer for, and


  • Red Wires Graphic

    New Low-Power AI Platform for Edge Applications

    BrainChip, a provider of advanced neuromorphic computing technology, has collaborated with Socionext, which specializes in software-on-a-chip (SoC) solutions for video and imaging systems, to create a low-power platform for AI edge computing applications.

  • China's Blockchain Network Set to Go Live in April

    China's planned national blockchain-based services network (BSN) is still set for its official April launch, despite concerns about potential delays due to the Covid-19 pandemic.

  • DHL Expands Autonomous Mobile Robot Deployments in its Warehouses

    DHL's Supply Chain group is expanding its partnership with autonomous mobile robot (AMR) maker Locus Robotics to deploy more warehouse robots in its fulfillment and distribution centers.

  • Intel Unveils AI Chip that Learns To Smell, Debuts Neuromorphic System

    Researchers from Intel and Cornell University have trained a neuromorphic computer chip to recognize the scent of 10 hazardous chemicals.