2 min read

FreeRTOS, a popular real-time operating system kernel for embedded devices, is found to have 13 vulnerabilities, as reported by Bleeping Computers yesterday. A part of these 13 vulnerabilities results in flaws in its remote code execution.

FreeRTOS supports more than 40 hardware platforms and powers microcontrollers in a diverse range of products including temperature monitors, appliances, sensors, fitness trackers, and any microcontroller-based devices. Although it works at a smaller component scale, it lacks the complexity that comes with more elaborate hardware. However, it allows processing of data as it comes in.

A researcher at Zimperium, Ori Karliner, analyzed the operating system and found that all of its varieties are vulnerable to:

  • 4 remote code execution bugs,
  • 1 denial of service,
  • 7 information leak, and
  • another security problem which is yet undisclosed

Here’s a full list of the vulnerabilities and their identifiers, that affect FreeRTOS:

CVE-2018-16522 Remote Code Execution
CVE-2018-16525 Remote Code Execution
CVE-2018-16526 Remote Code Execution
CVE-2018-16528 Remote Code Execution
CVE-2018-16523 Denial of Service
CVE-2018-16524 Information Leak
CVE-2018-16527   Information Leak
CVE-2018-16599 Information Leak
CVE-2018-16600 Information Leak
CVE-2018-16601 Information Leak
CVE-2018-16602 Information Leak
CVE-2018-16603 Information Leak
CVE-2018-16598 Other

FreeRTOS versions affected by the vulnerability

FreeRTOS versions up to V10.0.1, AWS FreeRTOS up to V1.3.1, OpenRTOS and SafeRTOS (With WHIS Connect middleware TCP/IP components) are affected.

Amazon has been notified of the situation. In response to this, the company has released patches to mitigate the problems.

Per the report, “Amazon decided to become involved in the development of the product for the Internet-of-Things segment. The company extended the kernel by adding libraries to support cloud connectivity, security and over-the-air updates.”

According to Bleeping Computers, “Zimperium is not releasing any technical details at the moment. This is to allow smaller vendors to patch the vulnerabilities. The wait time expires in 30 days.”

To know more about these vulnerabilities in detail, visit the full coverage by Bleeping Computers.

Read Next

NSA researchers present security improvements for Zephyr and Fucshia at Linux Security Summit 2018

How the Titan M chip will improve Android security

EFF kicks off its Coder’s Rights project with a paper on protecting security researchers’ rights


Subscribe to the weekly Packt Hub newsletter. We'll send you the results of our AI Now Survey, featuring data and insights from across the tech landscape.