The freeRTOS Vulnerability Disaster

FreeRTOS, the open-source operating system that powers most of the small microprocessors and microcontrollers in many IoT hardware products has newly identified vulnerabilities.

The vulnerabilities are in the TCP/IP stack and affect the FreeRTOS.

The versions affected

The versions affected are FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, OpenRTOS and SafeRTOS (With WHIS Connect middleware TCP/IP components).

Why this is a disaster

FreeRTOS is used in many IoT devices.  These devices are often inexpensive and not easily patched.  In fact, many of these devices have firmware that has not been updated for many years.

Examples of products that use FreeRTOS are fitness trackers, temperature monitors, appliances, car, door locks, water meters, and many more small devices.  The vulnerable devices that use the TCP/IP are the vulnerable ones.  This means that the devices can connect to the internet.

Since we know that these devices are connected we can conclude that they can also be patched.

But will they?

Likely not.  So this is a vulnerability that has the potential to be exploited for years to come.

The full list of the vulnerabilities, and their identifiers, that affect FreeRTOS:

CVE-2018-16522 Remote Code Execution
CVE-2018-16525 Remote Code Execution
CVE-2018-16526 Remote Code Execution
CVE-2018-16528 Remote Code Execution
CVE-2018-16523 Denial of Service
CVE-2018-16524 Information Leak
CVE-2018-16527 Information Leak
CVE-2018-16599 Information Leak
CVE-2018-16600 Information Leak
CVE-2018-16601 Information Leak
CVE-2018-16602 Information Leak
CVE-2018-16603 Information Leak
CVE-2018-16598 Other