FreeRTOS, the open-source operating system that powers most of the small microprocessors and microcontrollers in many IoT hardware products has newly identified vulnerabilities.
The vulnerabilities are in the TCP/IP stack and affect the FreeRTOS.
The versions affected
The versions affected are FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, OpenRTOS and SafeRTOS (With WHIS Connect middleware TCP/IP components).
Why this is a disaster
FreeRTOS is used in many IoT devices. These devices are often inexpensive and not easily patched. In fact, many of these devices have firmware that has not been updated for many years.
Examples of products that use FreeRTOS are fitness trackers, temperature monitors, appliances, car, door locks, water meters, and many more small devices. The vulnerable devices that use the TCP/IP are the vulnerable ones. This means that the devices can connect to the internet.
Since we know that these devices are connected we can conclude that they can also be patched.
But will they?
Likely not. So this is a vulnerability that has the potential to be exploited for years to come.
The full list of the vulnerabilities, and their identifiers, that affect FreeRTOS:
| CVE-2018-16522 | Remote Code Execution |
| CVE-2018-16525 | Remote Code Execution |
| CVE-2018-16526 | Remote Code Execution |
| CVE-2018-16528 | Remote Code Execution |
| CVE-2018-16523 | Denial of Service |
| CVE-2018-16524 | Information Leak |
| CVE-2018-16527 | Information Leak |
| CVE-2018-16599 | Information Leak |
| CVE-2018-16600 | Information Leak |
| CVE-2018-16601 | Information Leak |
| CVE-2018-16602 | Information Leak |
| CVE-2018-16603 | Information Leak |
| CVE-2018-16598 | Other |
