CISA Advisory (ICSA-21-119-04)

Affected Systems and Vulnerability

Below are the affected systems from this vulnerability. For more information on the specific vulnerabilities for each tool, go to https://cwe.mitre.org/data/definitions/190.html for more information. 

• Amazon FreeRTOS, Version 10.4.1
• Apache Nuttx OS, Version 9.1.0 
• ARM CMSIS-RTOS2, versions prior to 2.1.3
• ARM Mbed OS, Version 6.3.0
• ARM mbed-ualloc, Version 1.3.0
• BlackBerry QNX SDP Versions 6.5.0 SP1 and earlier
• BlackBerry QNX OS for Safety Versions 1.0.1 and earlier safety products compliant with IEC 61508 and/or ISO 26262
• BlackBerry QNX OS for Medical Versions 1.1 and earlier safety products compliant with IEC 62304
  • A full list of affected QNX products and versions is available here

• Cesanta Software Mongoose OS, v2.17.0
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
• Google Cloud IoT Device SDK, Version 1.0.2
• Media Tek LinkIt SDK, versions prior to 4.6.1
• Micrium OS, Versions 5.10.1 and prior
• Micrium uC/OS: uC/LIB Versions 1.38.xx, Version 1.39.00
• NXP MCUXpresso SDK, versions prior to 2.8.2
• NXP MQX, Versions 5.1 and prior
• Redhat newlib, versions prior to 4.0.0
• RIOT OS, Version 2020.01.1 
• Samsung Tizen RT RTOS, versions prior 3.0.GBB
• TencentOS-tiny, Version 3.1.0
• Texas Instruments CC32XX, versions prior to 4.40.00.07
• Texas Instruments SimpleLink MSP432E4XX
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
• Uclibc-NG, versions prior to 1.0.36 
• Windriver VxWorks, prior to 7.0
• Zephyr Project RTOS, versions prior to 2.5

What Can You Do?

Below are mitigations for this vulnerability on the various systems it affects. The majority of systems have updates/patches available for this potential exploit. CyberHoot recommends you update immediately if you use these tools. 

• Amazon FreeRTOS – Update available
• Apache Nuttx OS Version 9.1.0 – Update available
• ARM CMSIS-RTOS2 – Update in progress, expected in June
• ARM Mbed OS – Update available
• ARM mbed-ualloc – no longer supported and no fix will be issued
• Blackberry QNX 6.5.0SP1 – Update available. See public advisory
• Blackberry QNX OS for Safety 1.0.2 – Update available. See public advisory
• Blackberry QNX OS for Medical 1.1.1 – Update available. See public advisory
• Cesanta Software mongooses – Update available 
• eCosCentric eCosPro RTOS: Update to Versions 4.5.4 and newer – Update available
• Google Cloud IoT Device SDK – Update available
• Media Tek LinkIt SDK – MediaTek will provide the update to users. No fix for the free version, as it is not intended for production use. 
• Micrium OS: Update to v5.10.2 or later – Update available
• Micrium uCOS: uC/LIB Versions 1.38.xx, 1.39.00: Update to v1.39.1 – Update available
• NXP MCUXpresso SDK – Update to 2.9.0 or later 
• NXP MQX –  update to 5.1 or newer
• Redhat newlib – Update available
• RIOT OS – Update available
• Samsung Tizen RT RTOS – Update available
• TencentOS-tiny – Update available
• Texas Instruments CC32XX – Update to v4.40.00.07
• Texas Instruments SimpleLink CC13X0 – Update to v4.10.03
• Texas Instruments SimpleLink CC13X2-CC26X2 – Update to v4.40.00
• Texas Instruments SimpleLink CC2640R2 – Update to v4.40.00
• Texas Instruments SimpleLink MSP432E4 – Confirmed. No update currently planned
• uClibc-ng – Update available
• Windriver VxWorks – Update in progress
• Zephyr Project: Update to 2.5 or later.  Patches are available for prior supported versions. See the Zephyr security advisory for more information.