SB2018101907 - Multiple vulnerabilities in FreeRTOS
Published: October 19, 2018
Security Bulletin ID
SB2018101907
Severity
High
Patch available
YES
Number of vulnerabilities
13
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Remote code execution (CVE-ID: CVE-2018-16522)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a flaw within the SOCKETS_SetSockOpt function of the AWS secure sockets module in TCP/IP stack of FreeRTOS. A remote attacker can supply a list of ALPN protocols and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Memory corruption (CVE-ID: CVE-2018-16525)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to a flaw in the TCP/IP stack of FreeRTOS. A remote attacker can send specially crafted DNS\LLMNR packets, trigger memory corruption in DNS\LLMNR and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
3) Memory corruption (CVE-ID: CVE-2018-16526)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to the code doesn’t handle IP Options at all and simply removes them from the packet by using memmove and truncating the xDataLength field of the network buffer. A remote attacker can trigger memory corruption in usGenerateProtocolChecksum and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
4) Remote code execution (CVE-ID: CVE-2018-16528)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists in the MQTT and Greengrass discovery modules of FreeRTOS due to MQTT agent and GGD modules misuse the API of mbedTLS, creating a corrupt mbedTLS context object. A remote attacker can execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
5) Divide by zero (CVE-ID: CVE-2018-16523)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to the function prvCheckOptions checks the TCP options supplied within an Rx TCP packet. A remote attacker can trigger a divide by zero error in prvCheckOptions within the TCP/IP component and cause the system to crash.
6) Information disclosure (CVE-ID: CVE-2018-16524)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to the function prvCheckOptions checks the TCP options supplied within an Rx TCP packet. A remote attacker can trigger memory leak and access arbitrary data.
7) Information disclosure (CVE-ID: CVE-2018-16527)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to prvProcessICMPPacket doesn’t validate that the received frame is large enough to be an ICMP packet. A remote attacker can trigger ICMP memory leak and access arbitrary data.
8) Information disclosure (CVE-ID: CVE-2018-16599)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to prvTreatNBNS, just like prvParseDNSReply, doesn’t check if xDataLength is large enough to contain the parsed NBNS packet. A remote attacker can trigger memory leak in NBNS and access arbitrary data.
9) Information disclosure (CVE-ID: CVE-2018-16600)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to eARPProcessPacket doesn’t validate that the received frame is large enough to be an ARP packet. A remote attacker can trigger ARP memory leak and access arbitrary data.
10) Information disclosure (CVE-ID: CVE-2018-16601)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to the function prvProcessIPPacket removes the IP options field of an Rx packet if it is present. A remote attacker can trigger memory leak and access arbitrary data.
11) Out-of-bounds read (CVE-ID: CVE-2018-16602)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to prvProcessDHCPReplies function doesn’t validate that a packet is large enough to be a valid DHCP packet. A remote attacker can trigger out-of-bounds read and access arbitrary data.
12) Out-of-bounds read (CVE-ID: CVE-2018-16603)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to xProcessReceivedTCPPacket doesn’t validate that the received frame is large enough to contain a TCP header. A remote attacker can send an IP packet with TCP type, but doesn’t include the TCP header to out-of-bounds read and access arbitrary data.
13) Information disclosure (CVE-ID: CVE-2018-16598)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to code takes no steps to prevent DNS Poisoning, As any DNS answer the device receives will be parsed fully, without checking if it matches an outgoing DNS query. A remote attacker can trigger memory leak and access arbitrary data.
Remediation
Install update from vendor's website.