The bugs let hackers crash IoT devices , leak Attack.Databreach their information , and completely take them over . Researchers have found Vulnerability-related.DiscoverVulnerability that a popular Internet of Things real-time operating system – FreeRTOS – is riddled with serious vulnerabilities . The bugs could allow hackers to crash connected devices in smart homes or critical infrastructure systems , leak Attack.Databreach information from the devices ’ memory , and take them over . And while patches have been issued Vulnerability-related.PatchVulnerability , researchers warn that it still may take time for smaller vendors to update Vulnerability-related.PatchVulnerability . Researcher Ori Karliner , with Zimperium ’ s zLabs team , recently analyzed some of the leading operating systems in the IoT market – including FreeRTOS , an open-source OS specifically designed for the microcontrollers that are within IoT devices . Within several versions of FreeRTOS , Karliner found Vulnerability-related.DiscoverVulnerability 13 vulnerabilities enabling an array of attacks , including remote code execution , information leak and denial-of-service bugs . “ During our research , we discovered Vulnerability-related.DiscoverVulnerability multiple vulnerabilities within FreeRTOS ’ s TCP/IP stack and in the AWS secure connectivity modules . The same vulnerabilities are present in Vulnerability-related.DiscoverVulnerability WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS , ” according to a Thursday post by zLabs . The vulnerabilities specifically exist in Vulnerability-related.DiscoverVulnerability FreeRTOS ’ s TCP/IP stack and in the AWS secure connectivity modules ( in as well as in the WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS ) . These vulnerabilities include four remote code execution bugs ( CVE-2018-16522 , CVE-2018-16525 , CVE-2018-16526 , and CVE-2018-16528 ) ; seven information leak vulnerabilities ( CVE-2018-16524 , CVE-2018-16527 , CVE-2018-16599 , CVE-2018-16600 , CVE-2018-16601 , CVE-2018-16602 , CVE-2018-16603 ) one denial of service flaw ( CVE-2018-16523 ) and a final ( CVE-2018-16598 ) that was unspecified . zLabs said Vulnerability-related.DiscoverVulnerability it has disclosed Vulnerability-related.DiscoverVulnerability the security issues to Amazon and collaborated with them to patch Vulnerability-related.PatchVulnerability the vulnerabilities . Those fixes were deployed Vulnerability-related.PatchVulnerability for AWS FreeRTOS versions 1.3.2 and onwards . The vulnerabilities in RTOS WHIS were also patched Vulnerability-related.PatchVulnerability . Amazon did not respond to a request for comment from Threatpost . Due to the amount of vendors impacted Vulnerability-related.DiscoverVulnerability by the bugs , the researchers said Vulnerability-related.DiscoverVulnerability that they would hold off on publishing Vulnerability-related.DiscoverVulnerability further details until all holes have been sealed Vulnerability-related.PatchVulnerability .

Cisco has patched Vulnerability-related.PatchVulnerability a set of severe vulnerabilities which could lead to remote code execution in the Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) . The security flaws , CVE-2018-15414 , CVE-2018-15421 , and CVE-2018-15422 , have been issued Vulnerability-related.DiscoverVulnerability a base score of 7.8 . According to the Cisco Product Security Incident Response Team ( PSIRT ) , the flaws could lead to `` an unauthenticated , remote attacker to execute arbitrary code on a targeted system . '' The Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) , available for Windows , Mac , and Linux machines is a component for recording meetings taking place in the Cisco Webex Meetings Suite sites , Cisco Webex Meetings Online sites , and Cisco Webex Meetings Server . In a security advisory posted this week , Cisco says that the following software is affected : Cisco Webex Meetings Suite ( WBS32 ) : Webex Network Recording Player versions prior to WBS32.15.10 ; Cisco Webex Meetings Suite ( WBS33 ) : Webex Network Recording Player versions prior to WBS33.3 ; Cisco Webex Meetings Online : Webex Network Recording Player versions prior to 1.3.37 ; Cisco Webex Meetings Server : Webex Network Recording Player versions prior to 3.0MR2 . According to Cisco , each operating system is vulnerable Vulnerability-related.DiscoverVulnerability to at least one of the security flaws . The vulnerabilities are due to the improper invalidation of Webex recording files . If a victim opens a crafted , malicious file in the Cisco Webex Player -- potentially sent over Attack.Phishing email as part of a spear phishing campaign Attack.Phishing -- the bugs are triggered , leading to exploit . TechRepublic : Cisco switch flaw led to attacks on critical infrastructure in several countries There are no workarounds to address Vulnerability-related.PatchVulnerability these vulnerabilities . However , Cisco has developed Vulnerability-related.PatchVulnerability patches to automatically update Vulnerability-related.PatchVulnerability vulnerable software . It is recommended that users accept these updates as quickly as possible . The tech giant notes that some Cisco Webex Meetings builds might be at the end of their support cycles and wo n't receive these updates . In these cases , users should contact the company directly . CNET : Kansas City gets smarter thanks to Cisco and Sprint Alternatively , the ARF component is an add-on and can simply be uninstalled manually . A removal tool is has been made available . Cisco is not aware Vulnerability-related.DiscoverVulnerability of any reports of any active exploits in the wild . Steven Seeley from Source Incite and Ziad Badawi , working together with the Trend Micro Zero Day Initiative , have been credited with finding and reporting Vulnerability-related.DiscoverVulnerability the bugs . In related news this week , Trend Micro 's Zero Day Initiative disclosed Vulnerability-related.DiscoverVulnerability a Microsoft Jet zero-day vulnerability which was unpatched Vulnerability-related.PatchVulnerability at the point of public disclosure Vulnerability-related.DiscoverVulnerability . If exploited Vulnerability-related.DiscoverVulnerability , the vulnerability permits attackers to remotely execute code on infected machines .

The technical details of security vulnerabilities impacting Vulnerability-related.DiscoverVulnerability the Nvidia Video and an Android driver have been revealed Vulnerability-related.DiscoverVulnerability by Zimperium , which acquired the flaws as part of an exploit acquisition program . On Tuesday , Zimperium zLabs researchers published Vulnerability-related.DiscoverVulnerability a blog post detailing the security flaws , two escalation of privilege bugs found Vulnerability-related.DiscoverVulnerability within the NVIDIA Video driver and MSM Thermal driver . The Nvidia bug , CVE-2016-2435 , impacts Vulnerability-related.DiscoverVulnerability Android 6.0 on the Nexus 9 handset . The problem arises Vulnerability-related.DiscoverVulnerability when attackers craft an application to tamper with read/write memory values and force privilege escalation . The second security flaw , CVE-2016-2411 , involves Vulnerability-related.DiscoverVulnerability a Qualcomm power management kernel driver , the MSM Thermal driver , in Android version 6 . If an attacker crafts a malicious application , they can give themselves root access through an internal bug in the driver , leading to privilege escalation . These bugs are well documented Vulnerability-related.DiscoverVulnerability , known Vulnerability-related.DiscoverVulnerability , and for the most part security updates have been issued Vulnerability-related.PatchVulnerability . However , Zimperium says Vulnerability-related.DiscoverVulnerability that making the technical details available of these so-called Vulnerability-related.DiscoverVulnerability `` N-day '' flaws is important and can act as a catalyst to boost the speed of patch production and to iron out problems arriving between a patch being created Vulnerability-related.PatchVulnerability and vendors distributing Vulnerability-related.PatchVulnerability the update in good time . In February , Zimperium launched Vulnerability-related.DiscoverVulnerability an N-day acquisition program which is only interested in known security problems , rather than unknown and unpatched zero-days . Over the next year , the exploit purchaser is budgeting a total of $ 1.5 million to pick up the details on these exploits . Once a bug has been discovered Vulnerability-related.DiscoverVulnerability and a fix is being worked on Vulnerability-related.PatchVulnerability , an N-day exploit indicates a time of one or more days in which user systems can be compromised until a security update is issued Vulnerability-related.PatchVulnerability . `` By focusing on N-days , or patched vulnerabilities , Zimperium is applying pressure on the mobile ecosystem to re-think how and when users receive Vulnerability-related.PatchVulnerability security updates , '' the company said at the time . `` [ The ] program will reward the hard work of researchers who would n't otherwise receive compensation for an N-day exploit . ''