NXP Semiconductors has workarounds available until a new product releases in January for buffer overflow and out of bounds read vulnerabilities in its MQX RTOS, according to a report with ICS-CERT.
The following versions of MQX Real-Time Operating System (RTOS) are used in NXP’s ColdFire microcontrollers, Kinetis microcontrollers, i.MX processors, and Vybrid processors. Scott Gayou identified and coordinated these vulnerabilities.
Versions susceptible to the classic buffer overflow:
• MQX RTOS, Version 5.0 and prior versions, and
Versions susceptible to out-of-bounds read:
• MQX RTOS, Version 4.1 and prior versions.
Successful exploitation of these vulnerabilities may allow a remote attacker to cause a buffer overflow condition that may, in turn, cause remote code execution or out-of-bounds read conditions, resulting in a denial of service.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
In one vulnerability, the Real-Time TCP/IP Communications Suite (RTCS) in MQX’s DHCP client fails to sanitize all inputs, which may allow maliciously crafted DHCP packets to cause memory to be overwritten, allowing remote code execution.
CVE-2017-12718 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.
In the other issue, the DNS client for MQX fails to bounds check DNS response parameters, which may allow maliciously crafted DNS packets to cause memory to be read out-of-bounds, resulting in a denial of service.
CVE-2017-12722 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product sees use in the communications, critical manufacturing, healthcare and public health, and transportation sectors. It sees action on a global basis.
Eindhoven, Netherlands-based NXP is planning to release a product fix for MQX, Version 5.1, by January, which will address both vulnerabilities. Until the product fix can be applied, NXP recommends users consider implementing the following interim mitigations to limit the risk of exploitation of the identified vulnerabilities:
• For MQX users running Version 5.0, NXP produced a code modification that can be applied prior to the release of Version 5.1. Users can contact NXP directly via email to get additional information.
• For MQX users running Version 4.1 and prior versions, NXP recommends users update to Version 4.2 or Version 5.0, which do not contain the out-of-bounds read vulnerability.