Information Disclosure in FreeRTOS TCP/IP Component by AWS and WITTENSTEIN
CVE-2018-16524

5.9MEDIUM

Key Information:

Vendor

Amazon

Status
Amazon Web Services Freertos
Freertos
Vendor
CVE Published:
6 December 2018

What is CVE-2018-16524?

Amazon Web Services (AWS) FreeRTOS and WITTENSTEIN's WHIS Connect middleware are susceptible to an information disclosure vulnerability. This issue arises when the TCP options are parsed in the prvCheckOptions function, potentially exposing sensitive information to unauthorized parties. The vulnerability impacts AWS FreeRTOS versions up to 1.3.1 and FreeRTOS+TCP up to version 10.0.1, highlighting significant security concerns for networked devices utilizing these platforms, which could lead to exploitation in smart home systems and critical infrastructure.

References

https://github.com/aws/amazon-freertos/blob/v1.3.2/CHANGE...
x_refsource_CONFIRM
https://blog.zimperium.com/freertos-tcpip-stack-vulnerabi...
x_refsource_MISC
https://blog.zimperium.com/freertos-tcpip-stack-vulnerabi...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.