Data: CASIE
Negative Trigger
their
information
,
and
completely
take
them
over
.
Researchers
have found
Vulnerability-related.DiscoverVulnerability
that
a
popular
Internet
of
Things
real-time
operating
system
–
FreeRTOS
–
is
riddled
with
serious
vulnerabilities
.
The
bugs
could
allow
hackers
to
crash
connected
devices
in
smart
homes
or
critical
infrastructure
systems
,
leak
Attack.Databreach
information
from
the
devices
’
memory
,
and
take
them
over
.
And
while
patches
have been issued
Vulnerability-related.PatchVulnerability
,
researchers
warn
that
it
still
may
take
time
for
smaller
vendors
to
update
Vulnerability-related.PatchVulnerability
.
Researcher
Ori
Karliner
,
with
Zimperium
’
s
zLabs
team
,
recently
analyzed
some
of
the
leading
operating
systems
in
the
IoT
market
–
including
FreeRTOS
,
an
open-source
OS
specifically
designed
for
the
microcontrollers
that
are
within
IoT
devices
.
Within
several
versions
of
FreeRTOS
,
Karliner
found
Vulnerability-related.DiscoverVulnerability
13
vulnerabilities
enabling
an
array
of
attacks
,
including
remote
code
execution
,
information
leak
and
denial-of-service
bugs
.
“
During
our
research
,
we
discovered
Vulnerability-related.DiscoverVulnerability
multiple
vulnerabilities
within
FreeRTOS
’
s
TCP/IP
stack
and
in
the
AWS
secure
connectivity
modules
.
The
same
vulnerabilities
are present in
Vulnerability-related.DiscoverVulnerability
WHIS
Connect
TCP/IP
component
for
OpenRTOS\SafeRTOS
,
”
according
to
a
Thursday
post
by
zLabs
.
The
vulnerabilities
specifically
exist in
Vulnerability-related.DiscoverVulnerability
FreeRTOS
’
s
TCP/IP
stack
and
in
the
AWS
secure
connectivity
modules
(
in
as
well
as
in
the
WHIS
Connect
TCP/IP
component
for
OpenRTOS\SafeRTOS
)
.
These
vulnerabilities
include
four
remote
code
execution
bugs
(
CVE-2018-16522
,
CVE-2018-16525
,
CVE-2018-16526
,
and
CVE-2018-16528
)
;
seven
information
leak
vulnerabilities
(
CVE-2018-16524
,
CVE-2018-16527
,
CVE-2018-16599
,
CVE-2018-16600
,
CVE-2018-16601
,
CVE-2018-16602
,
CVE-2018-16603
)
one
denial
of
service
flaw
(
CVE-2018-16523
)
and
a
final
(
CVE-2018-16598
)
that
was
unspecified
.
zLabs
said
Vulnerability-related.DiscoverVulnerability
it
has disclosed
Vulnerability-related.DiscoverVulnerability
the
security
issues
to
Amazon
and
collaborated
with
them
to
patch
Vulnerability-related.PatchVulnerability
the
vulnerabilities
.
Those
fixes
were deployed
Vulnerability-related.PatchVulnerability
for
AWS
FreeRTOS
versions
1.3.2
and
onwards
.
The
vulnerabilities
in
RTOS
WHIS
were
also
patched
Vulnerability-related.PatchVulnerability
.
Amazon
did
not
respond
to
a
request
for
comment
from
Threatpost
.
Due
to
the
amount
of
vendors
impacted
Vulnerability-related.DiscoverVulnerability
by
the
bugs
,
the
researchers
said
Vulnerability-related.DiscoverVulnerability
that
they
would
hold off on publishing
Vulnerability-related.DiscoverVulnerability
further
details
until
all
holes
have been sealed
Vulnerability-related.PatchVulnerability
.