Security Group Finds Multiple Flaws in AWS FreeRTOS

Researchers are warning of several TCP/IP vulnerabilities within the Amazon Web Services (AWS) version of the FreeRTOS operating system for Internet of Things (IoT) devices.

Zimperium, a mobile security firm headquartered in Dallas, Texas, reported this month on "multiple vulnerabilities" in the FreeRTOS TCP/IP stack that would "allow an attacker to crash the device, leak information from the device's memory, and remotely execute code on it, thus completely compromising it."

The company credited its findings to analysts in its internal research arm, zLabs. zLabs researchers discovered the vulnerabilities as part of an ongoing study on leading IoT platforms, including FreeRTOS, which currently "supports more than 35 architectures."

FreeRTOS is an open source platform for microcontrollers used in IoT systems. AWS took stewardship of FreeRTOS last year, building on the original kernel to include integration with AWS cloud services, such as AWS IoT Core and AWS Greengrass.

AWS' version of FreeRTOS aims to simplify the device management for developers in the IoT space, according to its info page:

Microcontrollers frequently run operating systems which do not have built in functionality to connect to local networks or the cloud, making IoT applications a challenge. Amazon FreeRTOS helps solve this problem by providing both the core operating system (to run the edge device) as well as software libraries that make it easy to securely connect to the cloud (or other edge devices) so you can collect data from them for IoT applications and take action.

There are also two other versions of FreeRTOS affected by Zimperium's findings, both developed by Wittenstein High Integrity Systems (WHIS): OpenRTOS and SafeRTOS.

In total, the researchers found 13 vulnerabilities ranging from remote code executions, denial-of-service attacks and data leaks. They are as follows:

  • Remote code executions: CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, CVE-2018-16528
  • Denial-of-service: CVE-2018-16523
  • Data leaks: CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, CVE-2018-16603
  • "Other": CVE-2018-16598

The vulnerabilities were located in "FreeRTOS's TCP/IP stack and in the AWS secure connectivity modules," Zimperium researcher Ori Karliner said in a blog post. "The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS."

Zimperium noted that the IoT devices that use these operating systems are prevalent in many industries -- including health care, aerospace and automotive -- that are considered "high risk," making these vulnerabilities especially damaging if exploited.

Karliner said Zimperium has been working with AWS and WHIS to disclose and patch the affected FreeRTOS versions.

About the Author

Gladys Rama (@GladysRama3) is the editorial director of Converge360.


Subscribe on YouTube