New Vulnerabilities Disclosed in Real-Time Operating Systems
Multiple new security vulnerabilities in real-time operating systems (RTOS) were reported in January, highlighting ongoing risks in embedded systems. The flaws involve weaknesses in memory management, privilege escalation, and input validation, reinforcing the need for continuous monitoring and patching in connected and safety-critical devices.
- The memory management flaws often arise from the non-deterministic nature of dynamic memory allocation (`malloc()`) in C, which can introduce unpredictable delays, cause heap fragmentation, or lead to memory leaks that degrade performance and eventually crash a device. - Privilege escalation is frequently achieved by exploiting bugs or misconfigurations in the operating system or applications, allowing an attacker to gain elevated access rights beyond what is normally permitted to a user or process. - A significant precedent for widespread RTOS vulnerabilities was the "Urgent/11" disclosure in 2019, which affected the VxWorks RTOS and an estimated 200 million devices, including critical systems like patient monitors, industrial controllers, and firewalls. - The "Urgent/11" flaws existed in a TCP/IP networking stack that was licensed and used by at least six other real-time operating systems, including Microsoft's ThreadX and Mentor's Nucleus RTOS, demonstrating how a single vulnerability can have a broad impact across the embedded landscape. - Similarly, a set of vulnerabilities collectively known as "BadAlloc" disclosed by CISA involved integer overflow flaws in the memory allocation functions of numerous RTOS and C libraries, such as Amazon FreeRTOS and Apache Nuttx OS, which could allow for remote code execution. - In industrial settings, input validation vulnerabilities can be exploited via common OT protocols; researchers have demonstrated that sending malicious Modbus packets to a power-monitoring gateway running the µC/OS-III RTOS could trigger denial-of-service vulnerabilities. - The consequences of such exploits in operational technology (OT) can extend to physical damage, as seen in historical attacks on industrial infrastructure that have led to power outages, disruption of manufacturing, and the release of untreated sewage. - Vulnerabilities discovered in the popular FreeRTOS in 2018 included flaws that could allow an attacker to crash a device, read information from its memory, or execute remote code, potentially enabling the creation of IoT botnets.
