25 critical vulnerabilities in Zephyr RTOS & MCUboot bootloader. Secure your IoT Devices

The developers of Zephyr have taken a nasty surprise. An audit by vulnerability assessment experts from NCC Group has revealed 25 vulnerabilities in this real-time operating system (RTOS) designed for use on Internet of Things (IoT) devices.

Experts found 6 vulnerabilities in the network stack, 5 on system call controllers, 5 on the USB subsystem, 4 in the kernel, 3 in the firmware update mechanism, and 2 more failures in the command shell. Two of these failures are considered critical, two others are considered high serious, while the rest received medium and low scores. Critical failures affect the IPv4 stack and MQTT parser; High severity vulnerabilities affect USB components in the system.

So far only fixes have been released for the 15 most dangerous flaws, although the developers have not finished fixing all the bugs found by vulnerability assessment experts.

One of the most dangerous failures lies in the IPv4 stack, and its exploitation could lead to a memory corruption scenario during the processing of specially designed ICMP packets. On the other hand, the vulnerability in the MQTT protocol parser generated by insufficient length verification in the header fields, which could lead to remote code execution.

Problems arising from exploiting the rest of the vulnerabilities include denial of service (DoS), kernel-level code execution, and more. Vulnerability assessment experts mention that most of these failures are related to the lack of checks on various system functions, which could lead to additional problems.

Other failures affect the USB stack and individual drivers. For example, a usb mass storage issue allows you to cause a buffer overflow and run kernel-level code when the device is connected to an attacking host. In addition, the code of the MCUboot open boot loader, which found a reduced seriousness vulnerability, which could lead to a buffer overflow when using simple management protocol (SMP) using UART, was studied.

Zephyr developers are committed to releasing updates for vulnerabilities that have not been fixed. For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the Website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.