The freeRTOS Vulnerability Disaster


freertos security vulnerabilities

FreeRTOS, an open-source operating system that powers many IoT hardware products’ microprocessors and controllers, has been exposed to new vulnerabilities.

These vulnerabilities affect FreeRTOS through the TCP/IP stack.

Versions affected

Versions affected include FreeRTOS V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS V1.3.1, OpenRTOS, and SafeRTOS (with WHIS Connect middleware components TCP/IP).

This is why it’s a disaster

Many IoT devices use FreeRTOS. These devices can be difficult to patch and are often very inexpensive. Many of these devices are not updated in years.

FreeRTOS products include temperature monitors, fitness trackers and appliances. TCP/IP is the most vulnerable protocol. These devices are able to connect to the internet.

We know these devices are connected so we can conclude they can be patched.

But they will.

Most likely not. This vulnerability has the potential to potentially be exploited for many years.

Here is the full list of vulnerabilities and their identifiers that affect FreeRTOS.

CVE-2018-16522 Remote Code Execution
CVE-2018-16525 Remote Code Execution
CVE-2018-16526 Remote Code Execution
CVE-2018-16528 Remote Code Execution
CVE-2018-16523 Denial Of Service
CVE-2018-16524 Information Leak
CVE-2018-16527 Information Leak
CVE-2018-16599 Information Leak
CVE-2018-16600 Information Leak
CVE-2018-16601 Information Leak
CVE-2018-16602 Information Leak
CVE-2018-16603 Information Leak
CVE-2018-16598 Other