FreeRTOS Flaws Puts Many IoT, ICS Devices at Risk
Security researchers have found serious vulnerabilities in FreeRTOS, an open source operating system that’s commonly used in embedded devices including those in smart homes and critical infrastructure.
FreeRTOS is a lightweight real-time operating system (RTOS) kernel designed for microcontrollers and small microprocessors. With support for more than 40 hardware platforms, FreeRTOS and its variants—AWS FreeRTOS, SafeRTOS and OpenRTOS—are used in millions of embedded devices across numerous industries, from sensors, smart lights and door locks in homes to medical devices, personal fitness trackers and industrial actuators and pumps.
Researchers from Zimperium’s zLabs found multiple vulnerabilities in FreeRTOS’s TCP/IP stack, the AWS secure connectivity modules and the WHIS Connect TCP/IP component of OpenRTOSSafeRTOS. Four of the flaws can lead to remote code execution and pose a high risk to devices that are reachable over a network.
“These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it,” Zimperium researcher Ori Karliner said in a blog post. “We disclosed these vulnerabilities to Amazon, and collaborated (and continue to do so) with them to produce patches to the vulnerabilities we detected.”
The vulnerabilities were fixed in AWS FreeRTOS version 1.3.2 and higher and were also patched by WITTENSTEIN high integrity systems (WHIS) in SafeRTOS and OpenRTOS. Zimperium will withhold technical information about the flaws for another 30 days to give affected device vendors a chance to update.
However, many devices that run FreeRTOS have historically not been easy to update, especially without manual intervention from users. This means that a large number of devices deployed in the real-world will likely remain vulnerable for a long time and many will probably never get patched.
If these vulnerabilities turn out to be easy to exploit, especially over the internet, hackers will start targeting them soon after they become public, because IoT devices have become a common target for attackers over the past few years and are regularly hijacked for malicious purposes.
Flaw in Popular jQuery Component Affects Thousands of Projects
A popular JavaScript component called jQuery File Upload has had a serious vulnerability for the past eight years that potentially gave attackers access to web servers.
The arbitrary file upload and code execution vulnerability was recently found by Larry Cashdollar, a researcher with Akamai and stems from a change the maintainers of the Apache web server did in version version 2.3.9 released in October 2013.
It turns out that the jQuery File Upload widget, which is very popular and has been forked and reused in more than 7,800 other projects, relied on Apache .htaccess files as a security control to restrict the type of files that users can upload.
However, starting with version 2.3.9, the Apache maintainers disabled support for .htaccess by default to improve performance and prevent users from overriding security features that were configured on the server.
This change meant that attackers could abuse the functionality provided by jQuery File Upload to upload webshells to servers that no longer enforced htaccess restrictions. Webshells are backdoors that allow attackers to execute commands on web servers and to copy or modify existing files.
It turns out that while the jQuery File Upload creator didn’t know about this issue, hackers did, as there are several videos on YouTube dating back years that show how to exploit this flaw in similar software packages.
JQuery File Upload has now been updated to only allow image file uploads by default. However, the vulnerability persists in many other projects that modified and used this component.
“For software developers reviewing changes to the systems and libraries you rely on during the development of your project is a great idea as well,” Cashdollar said. “In the article above a security control was removed by Apache it not only removed a security control for Blueimp’s Jquery file upload software project but most of all of the forked code branches off of it. The vulnerability impacted many projects that depend on it from stand-alone web applications to WordPress plugins and other CMSs.”
