Multiple vulnerabilities in FreeRTOS
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2018-16522 CVE-2018-16525 CVE-2018-16526 CVE-2018-16528 CVE-2018-16523 CVE-2018-16524 CVE-2018-16527 CVE-2018-16599 CVE-2018-16600 CVE-2018-16601 CVE-2018-16602 CVE-2018-16603 CVE-2018-16598 |
| CWE-ID | CWE-264 CWE-119 CWE-369 CWE-401 CWE-125 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #8 is available. Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #10 is available. Public exploit code for vulnerability #11 is available. Public exploit code for vulnerability #12 is available. Public exploit code for vulnerability #13 is available. |
| Vulnerable software Subscribe |
FreeRTOS Operating systems & Components / Operating system OpenRTOS Operating systems & Components / Operating system SafeRTOS Operating systems & Components / Operating system |
| Vendor |
Amazon Web Services WITTENSTEIN high integrity systems |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Remote code execution
EUVDB-ID: #VU15434
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16522
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to a flaw within the SOCKETS_SetSockOpt function of the AWS secure sockets module in TCP/IP stack of FreeRTOS. A remote attacker can supply a list of ALPN protocols and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Memory corruption
EUVDB-ID: #VU15435
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16525
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to a flaw in the TCP/IP stack of FreeRTOS. A remote attacker can send specially crafted DNS\LLMNR packets, trigger memory corruption in DNS\LLMNR and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Memory corruption
EUVDB-ID: #VU15436
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16526
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to the code doesn’t handle IP Options at all and simply removes them from the packet by using memmove and truncating the xDataLength field of the network buffer. A remote attacker can trigger memory corruption in usGenerateProtocolChecksum and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Remote code execution
EUVDB-ID: #VU15437
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16528
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the MQTT and Greengrass discovery modules of FreeRTOS due to MQTT agent and GGD modules misuse the API of mbedTLS, creating a corrupt mbedTLS context object. A remote attacker can execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Divide by zero
EUVDB-ID: #VU15438
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16523
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to the function prvCheckOptions checks the TCP options supplied within an Rx TCP packet. A remote attacker can trigger a divide by zero error in prvCheckOptions within the TCP/IP component and cause the system to crash.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Information disclosure
EUVDB-ID: #VU15439
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16524
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the function prvCheckOptions checks the TCP options supplied within an Rx TCP packet. A remote attacker can trigger memory leak and access arbitrary data.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Information disclosure
EUVDB-ID: #VU15440
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16527
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to prvProcessICMPPacket doesn’t validate that the received frame is large enough to be an ICMP packet. A remote attacker can trigger ICMP memory leak and access arbitrary data.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Information disclosure
EUVDB-ID: #VU15441
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16599
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to prvTreatNBNS, just like prvParseDNSReply, doesn’t check if xDataLength is large enough to contain the parsed NBNS packet. A remote attacker can trigger memory leak in NBNS and access arbitrary data.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Information disclosure
EUVDB-ID: #VU15442
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16600
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to eARPProcessPacket doesn’t validate that the received frame is large enough to be an ARP packet. A remote attacker can trigger ARP memory leak and access arbitrary data.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Information disclosure
EUVDB-ID: #VU15443
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16601
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the function prvProcessIPPacket removes the IP options field of an Rx packet if it is present. A remote attacker can trigger memory leak and access arbitrary data.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
11) Out-of-bounds read
EUVDB-ID: #VU15444
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16602
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to prvProcessDHCPReplies function doesn’t validate that a packet is large enough to be a valid DHCP packet. A remote attacker can trigger out-of-bounds read and access arbitrary data.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
12) Out-of-bounds read
EUVDB-ID: #VU15445
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16603
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to xProcessReceivedTCPPacket doesn’t validate that the received frame is large enough to contain a TCP header. A remote attacker can send an IP packet with TCP type, but doesn’t include the TCP header to out-of-bounds read and access arbitrary data.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
13) Information disclosure
EUVDB-ID: #VU15446
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-16598
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to code takes no steps to prevent DNS Poisoning, As any DNS answer the device receives will be parsed fully, without checking if it matches an outgoing DNS query. A remote attacker can trigger memory leak and access arbitrary data.
Update the affected software to version 1.3.2.
Vulnerable software versionsFreeRTOS: 1.00 - 10.0.1
OpenRTOS: before 1.3.2
SafeRTOS: before 1.3.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
