The freeRTOS Vulnerability Disaster

FreeRTOS, the open-source operating system that powers most of the small microprocessors and microcontrollers in many IoT hardware products has newly identified vulnerabilities.

The vulnerabilities are in the TCP/IP stack and affect the FreeRTOS.

The versions affected

The versions affected are FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, OpenRTOS and SafeRTOS (With WHIS Connect middleware TCP/IP components).

Why this is a disaster

FreeRTOS is used in many IoT devices.  These devices are often inexpensive and not easily patched.  In fact, many of these devices have firmware that has not been updated for many years.

Examples of products that use FreeRTOS are fitness trackers, temperature monitors, appliances, car, door locks, water meters, and many more small devices.  The vulnerable devices that use the TCP/IP are the vulnerable ones.  This means that the devices can connect to the internet.

Since we know that these devices are connected we can conclude that they can also be patched.

But will they?

Likely not.  So this is a vulnerability that has the potential to be exploited for years to come.

The full list of the vulnerabilities, and their identifiers, that affect FreeRTOS:

CVE-2018-16522Remote Code Execution
CVE-2018-16525Remote Code Execution
CVE-2018-16526Remote Code Execution
CVE-2018-16528Remote Code Execution
CVE-2018-16523Denial of Service
CVE-2018-16524Information Leak
CVE-2018-16527Information Leak
CVE-2018-16599Information Leak
CVE-2018-16600Information Leak
CVE-2018-16601Information Leak
CVE-2018-16602Information Leak
CVE-2018-16603Information Leak

Leave a Comment