Multiple RTOS (Update E)
Act Now9.8ICS-CERT ICSA-21-119-04Apr 29, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Integer overflow vulnerability in malloc/memory allocation functions affects 31 real-time operating systems and embedded SDKs. Successful exploitation could result in unexpected behavior such as device crash or remote code injection/execution. Affected RTOS include BlackBerry QNX (standard and safety-critical variants), Windriver VxWorks, Texas Instruments SimpleLink, Amazon FreeRTOS, ARM CMSIS-RTOS2 and Mbed OS, NXP MCUXpresso/MQX, Google Cloud IoT Device SDK, Cesanta Mongoose OS, Micrium OS, Redhat newlib, and others. Devices running vulnerable versions prior to the patched releases are at risk of exploitation via network-reachable attack vector.
What this means
What could happen
An integer overflow in malloc/memory allocation routines used by embedded RTOS systems could allow remote code execution or crash devices that manage critical infrastructure processes. This affects real-time operating systems running on controllers, gateways, and safety-critical devices across healthcare, energy, and industrial sectors.
Who's at risk
This advisory affects multiple real-time operating systems (RTOS) used in embedded devices across healthcare, energy, and industrial sectors. Primary impact includes: Hitachi Energy devices (GMS600, PWC600, REB500, Relion 670/650, RTU500 CMU, MSM) using Windriver VxWorks; Texas Instruments wireless microcontrollers and energy management systems (CC32XX, SimpleLink CC13XX/CC26XX, MSP432E4); BlackBerry QNX safety-critical systems (medical devices, safety controllers); NXP controllers used in industrial gateways; ARM Mbed devices in IoT deployments; Amazon FreeRTOS in cloud-connected embedded systems. Any IoT device, wireless sensor, safety controller, or remote gateway running these vulnerable RTOS versions is affected.
How it could be exploited
An attacker with network access to a device running a vulnerable RTOS can send a specially crafted packet or input that triggers an integer overflow in memory allocation. This overflow allows the attacker to execute arbitrary code on the device or cause it to crash, potentially disrupting critical process control functions.
Prerequisites
- Network access to the affected device
- Device must be running a vulnerable RTOS version listed in the advisory
- No authentication required
Remotely exploitableNo authentication requiredLow complexityAffects multiple safety-critical platformsWide range of affected RTOS used in production devicesMany products with no fix planned or unavailable
Exploitability
Moderate exploit probability (EPSS 3.8%)
Affected products (28)
28 pending
ProductAffected VersionsFix Status
BlackBerry QNX SDP:≤ 6.5.0 SP1No fix yet
TencentOS-tiny:3.1.0No fix yet
Google Cloud IoT Device SDK:1.0.2No fix yet
Texas Instruments SimpleLink-CC26XX:< 4.40.00No fix yet
Texas Instruments SimpleLink: MSP432E4XXMSP432E4XXNo fix yet
Remediation & Mitigation
0/5
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXApply vendor firmware updates for affected devices: update Amazon FreeRTOS, Apache NuttX OS 9.1.0, ARM CMSIS-RTOS2 (June expected), ARM Mbed OS, Blackberry QNX 6.5.0 SP1, Blackberry QNX OS for Safety/Medical, Google Cloud IoT Device SDK, Cesanta Mongoose OS, eCosPro RTOS to 4.5.4 or newer, Media Tek LinkIt SDK, Micrium OS to v5.10.2 or later, Micrium uC/LIB to v1.39.1, NXP MCUXpresso SDK to 2.9.0 or later, NXP MQX to 5.1 or newer, Redhat newlib, RIOT OS, Samsung Tizen RT RTOS, TencentOS-tiny, Texas Instruments CC32XX/SimpleLink variants, uClibc-ng, Windriver VxWorks, and Zephyr to 2.5 or later.
WORKAROUNDPerform impact analysis and risk assessment before deploying updates to ensure minimal disruption to operational processes.
Long-term hardening
0/3HARDENINGMinimize network exposure by ensuring all embedded control devices and IoT devices are not accessible from the Internet.
HARDENINGIsolate control system networks and remote devices behind firewalls, separating them from business networks.
HARDENINGFor required remote access, use secure VPN connections and keep VPN software updated to the latest version.
CVEs (24)
CVE-2021-30636CVE-2021-27431CVE-2021-27433CVE-2021-27435CVE-2021-27427CVE-2021-22684CVE-2021-27439CVE-2021-27425CVE-2021-26461CVE-2020-35198CVE-2020-28895CVE-2021-31571CVE-2021-31572CVE-2021-27417CVE-2021-3420CVE-2021-27421CVE-2021-22680CVE-2021-27419CVE-2021-27429CVE-2021-22636CVE-2021-27504CVE-2021-27502CVE-2021-27411CVE-2021-26706
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/095ff8ed-6c1d-4932-8c57-379b88cd4c84