Mobile security solutions company Zimperium in its blog post has claimed that it had found stack vulnerabilities within the FreeRTOS’s TCP/IP stack & in the Amazon Web Services (AWS) secure connectivity modules as part of its threat research. The same vulnerabilities exist in WITTENSTEIN high integrity systems (WHIS) Connect TCP/IP component for OpenRTOS\SafeRTOS, it alleged.
The list of common vulnerabilities & exposures (CVE) can be found on its blog post.
These stack vulnerabilities may let an attacker compromise the device by leaking information from the device’s memory or crashing it & also remotely executing code on it. The “high risk nature” of devices prompted zLabs, its advanced research & exploitation team, to take a look at the connectivity components paired with these operating systems. Devices that have connectivity to the outside world are at a higher degree of risk of being attacked, the firm said in the blog.
Zimperium offers Enterprise class protection for mobile devices & apps against mobile cyber attacks. The findings come in the wake of its current IoT platform threat research where zLabs examined some of the top operating systems in the IoT market, including FreeRTOS which claims to be a market leader in the IoT & embedded platforms market. Zimperium has apprised Amazon of the security glitches & is working with it to produce patches to the detected flaws. The patches were deployed for AWS FreeRTOS versions 1.3.2 & later.
Zimperium stated it also received confirmation from WHIS regarding exposure to the same vulnerabilities. Those, too, were patched together with Amazon.
The technical details regarding the findings will be published after 30 days as this is an open source project. This also let smaller vendors to patch the flaws, the post stated.
What exactly are FreeRTOS, SafeRTOS, & what are their uses:
- FreeRTOS has been ported to over 40 hardware platforms over the last 14 years. In November 2017, AWS took FreeRTOS kernel & its components under its aegis.
- AWS FreeRTOS offers to provide a fully enabled IoT platform for microcontrollers, by bundling the FreeRTOS kernel together with the FreeRTOS TCP/IP stack, modules for secure connectivity, over the air updates, code signing, AWS Cloud support.
- Commercial version of FreeRTOS named OpenRTOS is maintained by WHIS.
- It also offers a safety-oriented RTOS named SafeRTOS, based on the functional model of FreeRTOS. It is certified for use in safety critical systems.
- FreeRTOS & SafeRTOS are used industries, namely IoT, aerospace, medical, automotive.
Image Credit: Zimperium
