NXP Semiconductors just mitigated buffer overflow and out of bounds read vulnerabilities in its MQX RTOS, according to a report with ICS-CERT.
The following versions of MQX Real-Time Operating System (RTOS) are used in NXP’s ColdFire microcontrollers, Kinetis microcontrollers, i.MX processors, and Vybrid processors. Scott Gayou identified and coordinated these vulnerabilities.
Versions susceptible to the classic buffer overflow:
• MQX RTOS, Version 5.0 and prior versions
Versions susceptible to out-of-bounds read:
• MQX RTOS, Version 4.1 and prior versions
Successful exploitation of these vulnerabilities may allow a remote attacker to cause a buffer overflow condition that may, in turn, cause remote code execution or out-of-bounds read conditions, resulting in a denial of service.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
In one vulnerability, the Real-Time TCP/IP Communications Suite (RTCS) in MQX’s DHCP client fails to sanitize all inputs, which may allow maliciously crafted DHCP packets to cause memory to be overwritten, allowing remote code execution.
CVE-2017-12718 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.
In the other issue, the DNS client for MQX fails to bounds check DNS response parameters, which may allow maliciously crafted DNS packets to cause memory to be read out-of-bounds, resulting in a denial of service.
CVE-2017-12722 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product sees use in the communications, critical manufacturing, healthcare and public health, and transportation sectors. It sees action on a global basis.
Eindhoven, Netherlands-based NXP released MQX, Version 5.1 on January 31, which addresses both vulnerabilities.
• For MQX users running versions older than 5.1, NXP produced an update.
• For MQX users running Version 5.0, NXP recommends users update to version 5.1 or the latest version. Existing licensees will be contacted about the update. Users can also contact NXP directly via email to get additional information as needed.
• For MQX users running Version 4.2 and prior versions, NXP recommends users obtain a patch or update to Version 5.1, which does not contain the out-of-bounds read vulnerability. Please contact NXP via email to get additional information as needed.