Denial of Service and Remote Code Execution Vulnerability in Amazon Web Services FreeRTOS
CVE-2018-16601

8.1HIGH

Key Information:

Vendor

Amazon

Status
Amazon Web Services Freertos
Freertos
Vendor
CVE Published:
6 December 2018

What is CVE-2018-16601?

A crafted IP header in Amazon Web Services FreeRTOS releases up to 1.3.1 and V10.0.1 (with FreeRTOS+TCP), as well as the WITTENSTEIN WHIS Connect middleware, can trigger a full memory space copy in the prvProcessIPPacket function. This exploitation may result in a denial of service, allowing potential disruptions to operations and increasing the risk of remote code execution.

References

https://github.com/aws/amazon-freertos/blob/v1.3.2/CHANGE...
x_refsource_CONFIRM
https://blog.zimperium.com/freertos-tcpip-stack-vulnerabi...
x_refsource_MISC
https://blog.zimperium.com/freertos-tcpip-stack-vulnerabi...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.