Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1489.3 Advisory (icsa-21-119-04) Multiple RTOS 1 December 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Real-time Operating Systems (RTOS) products Publisher: ICS-CERT Operating System: Network Appliance UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-31572 CVE-2021-31571 CVE-2021-30636 CVE-2021-27504 CVE-2021-27502 CVE-2021-27439 CVE-2021-27435 CVE-2021-27433 CVE-2021-27431 CVE-2021-27429 CVE-2021-27427 CVE-2021-27425 CVE-2021-27421 CVE-2021-27419 CVE-2021-27417 CVE-2021-27411 CVE-2021-26706 CVE-2021-26461 CVE-2021-22684 CVE-2021-22680 CVE-2021-22636 CVE-2021-22156 CVE-2021-3420 CVE-2020-35198 CVE-2020-28895 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 Comment: This bulletin contains two (2) ICS-CERT security advisories. Revision History: December 1 2021: Advisory updated to include affected products and mitigations August 18 2021: Advisory updated to include newly disclosed details about vulnerable Blackberry QNX-based products. See also ACSC alert at: https://www.cyber.gov.au/acsc/view-all-content/alerts/vulnerability-affecting-blackberry-qnx-rtos April 30 2021: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-21-280-05) InHand Networks IR615 Router (Update A) Original release date: November 30, 2021 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: InHand Networks o Equipment: IR615 Router o Vulnerabilities: Improper Restriction of Rendered UI Layers or Frames, Improper Authorization, Cross-site Request Forgery, Inadequate Encryption Strength, Improper Restriction of Excessive Authentication Attempts, Unrestricted Upload of File with Dangerous Type, Cross-site Scripting, OS Command Injection, Observable Response Discrepancy, Weak Password Requirements 2. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-21-280-05 InHand Networks IR615 Router that was published October 7, 2021, to the ICS webpage on us-cert.cisa.gov. 3. RISK EVALUATION Successful exploitation of these vulnerabilities may allow an attacker to have full control over the product, remotely perform actions on the product, intercept communication and steal sensitive information, session hijacking, and successful brute-force against user passwords. Additional successful exploitation may allow for the uploading of malicious files, deletion of system files, execution of remote code, and enumeration of user accounts and passwords. 4. TECHNICAL DETAILS 4.1 AFFECTED PRODUCTS - --------- Begin Update A Part 1 of 2 --------- The following versions of the InHand Networks IR615 Router are affected: o IR615 Router: Versions 2.3.0.r5417 and prior - --------- End Update A Part 1 of 2 --------- 4.2 VULNERABILITY OVERVIEW 4.2.1 IMPROPER RESTRICTION OF RENDERED UI LAYERS OR FRAMES CWE-1021 The affected product's management portal does not contain an X-FRAME-OPTIONS header, which an attacker may take advantage of by sending a link to an administrator that frames the router's management portal and could lure the administrator to perform changes. CVE-2021-38472 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/C:N/ I:L/A:N ). 4.2.2 IMPROPER AUTHORIZATION CWE-285 The vendor's cloud portal allows for self-registration of the affected product without any requirements to create an account, which may allow an attacker to have full control over the product and execute code within the internal network to which the product is connected. CVE-2021-38486 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:L/UI:R/S:C/C:H/ I:H/A:H ). 4.2.3 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 The affected product is vulnerable to cross-site request forgery when unauthorized commands are submitted from a user the web application trusts. This may allow an attacker to remotely perform actions on the router's management portal, such as making configuration changes, changing administrator credentials, and running system commands on the router. CVE-2021-38480 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/C:H/ I:H/A:H ). 4.2.4 INADEQUATE ENCRYPTION STRENGTH CWE-326 The affected product has inadequate encryption strength, which may allow an attacker to intercept the communication and steal sensitive information or hijack the session. CVE-2021-38464 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:U/C:H/ I:H/A:N ). 4.2.5 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307 The affected product has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitation and without harming the normal operation of the user. This could allow an attacker to gain valid credentials for the product interface. CVE-2021-38474 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/C:L/ I:L/A:L ). 4.2.6 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 The affected product does not have a filter or signature check to detect or prevent an upload of malicious files to the server, which may allow an attacker, acting as an administrator, to upload malicious files. This could result in cross-site scripting, deletion of system files, and remote code execution. CVE-2021-38484 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/C:H/ I:H/A:H ). 4.2.7 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 The affected product does not perform sufficient input validation on client requests from the help page. This may allow an attacker to perform a reflected cross-site scripting attack, which could allow an attacker to run code on behalf of the client browser. CVE-2021-38466 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/C:H/ I:L/A:L ). 4.2.8 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78 The affected product is vulnerable to an attacker using a ping tool to inject commands into the device. This may allow the attacker to remotely run commands on behalf of the device. CVE-2021-38470 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/C:H/ I:H/A:H ). 4.2.9 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78 The affected product is vulnerable to an attacker using a traceroute tool to inject commands into the device. This may allow the attacker to remotely run commands on behalf of the device. CVE-2021-38478 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/C:H/ I:H/A:H ). 4.2.10 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 The affected product's website used to control the router is vulnerable to stored cross-site scripting, which may allow an attacker to hijack sessions of users connected to the system. CVE-2021-38482 has been assigned to this vulnerability. A CVSS v3 base score of 8.7 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/C:N/ I:H/A:H ). 4.2.11 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 The affected product is vulnerable to stored cross-scripting, which may allow an attacker to hijack sessions of users connected to the system. CVE-2021-38468 has been assigned to this vulnerability. A CVSS v3 base score of 8.7 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/C:N/ I:H/A:H ). 4.2.12 OBSERVABLE RESPONSE DISCREPANCY CWE-204 The affected product's authentication process response indicates and validates the existence of a username. This may allow an attacker to enumerate different user accounts. CVE-2021-38476 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:L/ I:L/A:N ). 4.2.13 WEAK PASSWORD REQUIREMENTS CWE-521 The affected product does not enforce an efficient password policy. This may allow an attacker with obtained user credentials to enumerate passwords and impersonate other application users and perform operations on their behalf. CVE-2021-38462 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 4.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 4.4 RESEARCHER Haviv Vaizman, Hay Mizrachi, Alik Koldobsky, Ofir Manzur, and Nikolay Sokolik of OTORIO reported these vulnerabilities to CISA. 5. MITIGATIONS - --------- Begin Update A Part 2 of 2 --------- InHand Networks recommends users upgrade to version InRouter6XX-S-V2.3.0.r5484 or later. For additional information, please refer to InHand's Product Security Advisory InHand-PSA-2021-01 - --------- End Update A Part 2 of 2 --------- CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - ------------------------------------------------------------------------------------------------ ICS Advisory (ICSA-21-119-04) Multiple RTOS (Update D) Original release date: November 30, 2021 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low attack complexity o Vendors: Multiple o Equipment: Multiple o Vulnerabilities: Integer Overflow or Wraparound CISA is aware of a public report, known as "BadAlloc" that details vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. The various open-source products may be implemented in forked repositories. 2. UPDATE INFORMATION This updated advisory is a follow-up to the advisory update titled ICSA-21-119-04 Multiple RTOS (Update C) that was published August 17, 2021, to the ICS webpage on us-cert.cisa.gov. 3. RISK EVALUATION Successful exploitation of these vulnerabilities could result in unexpected behavior such as a crash or a remote code injection/execution. 4. TECHNICAL DETAILS 4.1 AFFECTED PRODUCTS o Amazon FreeRTOS, Version 10.4.1 o Apache Nuttx OS, Version 9.1.0 o ARM CMSIS-RTOS2, versions prior to 2.1.3 o ARM Mbed OS, Version 6.3.0 o ARM mbed-ualloc, Version 1.3.0 o BlackBerry QNX SDP Versions 6.5.0 SP1 and earlier o BlackBerry QNX OS for Safety Versions 1.0.1 and earlier safety products compliant with IEC 61508 and/or ISO 26262 o BlackBerry QNX OS for Medical Versions 1.1 and earlier safety products compliant with IEC 62304 A full list of affected QNX products and versions is available here o Cesanta Software Mongoose OS, v2.17.0 o eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 o Google Cloud IoT Device SDK, Version 1.0.2 o Media Tek LinkIt SDK, versions prior to 4.6.1 o Micrium OS, Versions 5.10.1 and prior o Micrium uC/OS: uC/LIB Versions 1.38.xx, Version 1.39.00 o NXP MCUXpresso SDK, versions prior to 2.8.2 o NXP MQX, Versions 5.1 and prior o Redhat newlib, versions prior to 4.0.0 o RIOT OS, Version 2020.01.1 o Samsung Tizen RT RTOS, versions prior 3.0.GBB o TencentOS-tiny, Version 3.1.0 o Texas Instruments CC32XX, versions prior to 4.40.00.07 o Texas Instruments SimpleLink MSP432E4XX o Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00 o Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00 o Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 o Uclibc-NG, versions prior to 1.0.36 o Windriver VxWorks, prior to 7.0 o Zephyr Project RTOS, versions prior to 2.5 4.2 VULNERABILITY OVERVIEW 4.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Media Tek LinkIt SDK versions prior to 4.6.1 is vulnerable to integer overflow in memory allocation calls pvPortCalloc(calloc) and pvPortRealloc(realloc), which can lead to memory corruption on the target device. CVE-2021-30636 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 4.2.2 INTEGER OVERFLOW OR WRAPAROUND CWE-190 ARM CMSIS RTOS2 versions prior to 2.1.3 are vulnerable to integer wrap-around inosRtxMemoryAlloc (local malloc equivalent) function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or injected code execution. CVE-2021-27431 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 4.2.3 INTEGER OVERFLOW OR WRAPAROUND CWE-190 ARM mbed-ualloc memory library Version 1.3.0 is vulnerable to integer wrap-around in function mbed_krbs, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. CVE-2021-27433 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 4.2.4 INTEGER OVERFLOW OR WRAPAROUND CWE-190 ARM mbed product Version 6.3.0 is vulnerable to integer wrap-around in malloc_wrapper function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/ execution. CVE-2021-27435 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 4.2.5 INTEGER OVERFLOW OR WRAPAROUND CWE-190 RIOT OS Versions 2020.01.1 is vulnerable to integer wrap-around in its implementation of calloc function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. CVE-2021-27427 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 4.2.6 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Samsung Tizen RT RTOS version 3.0.GBB is vulnerable to integer wrap-around in functions_calloc and mm_zalloc. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash. CVE-2021-22684 has been assigned to this vulnerability. A CVSS v3 base score of 3.2 has been calculated; the CVSS vector string is ( AV:L/AC:H/PR:N/UI:N/S:C/ C:N/I:N/A:L ). 4.2.7 INTEGER OVERFLOW OR WRAPAROUND CWE-190 TencentOS-tiny Version 3.1.0 is vulnerable to integer wrap-around in function 'tos_mmheap_alloc incorrect calculation of effective memory allocation size. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/ execution. CVE-2021-27439 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 4.2.8 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Cesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_malloc. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. CVE-2021-27425 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 4.2.9 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Apache Nuttx OS Version 9.1.0 is vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. CVE-2021-26461 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 4.2.10 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Wind River VxWorks several versions prior to 7.0 firmware is vulnerable to weaknesses found in the following functions; calloc(memLib), mmap/mmap64 (mmanLib), cacheDmaMalloc(cacheLib) and cacheArchDmaMalloc(cacheArchLib). This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. CVE-2020-35198 and CVE-2020-28895 have been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N /AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L ). 4.2.11 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Amazon FreeRTOS Version 10.4.1 is vulnerable to integer wrap-around in multiple memory management API functions (MemMang, Queue, StreamBuffer). This unverified memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. CVE-2021-31571 and CVE-2021-31572 have been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N /AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L ). 4.2.12 INTEGER OVERFLOW OR WRAPAROUND CWE-190 eCosCentric eCosPro RTOS Versions 2.0.1 through 4.5.3 are vulnerable to integer wraparound in function calloc (an implementation of malloc). The unverified memory assignment can lead to arbitrary memory allocation, resulting in a heap-based buffer overflow. CVE-2021-27417 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is ( AV:L/AC:H/PR:H/UI:R/S:U/ C:N/I:L/A:H ). 4.2.13 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Redhat newlib versions prior to 4.0.0 are vulnerable to integer wrap-around in malloc and nano-malloc family routines (memalign, valloc, pvalloc, nano_memalign, nano_valloc, nano_pvalloc) due to insufficient checking in memory alignment logic. This insufficient checking can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. CVE-2021-3420 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 4.2.14 INTEGER OVERFLOW OR WRAPAROUND CWE-190 NXP MCUXpresso SDK versions prior to 2.8.2 are vulnerable to integer overflow in SDK_Malloc function, which could allow to access memory locations outside the bounds of a specified array, leading to unexpected behavior such segmentation fault when assigning a particular block of memory from the heap via malloc. CVE-2021-27421 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 4.2.15 INTEGER OVERFLOW OR WRAPAROUND CWE-190 NXP MQX Versions 5.1 and prior are vulnerable to integer overflow in mem_alloc, _lwmem_alloc and _partition functions. This unverified memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. CVE-2021-22680 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 4.2.16 INTEGER OVERFLOW OR WRAPAROUND CWE-190 uClibc-ng versions prior to 1.0.37 are vulnerable to integer wrap-around in functions malloc-simple. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. CVE-2021-27419 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L ). 4.2.17 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Texas Instruments TI-RTOS returns a valid pointer to a small buffer on extremely large values. This can trigger an integer overflow vulnerability in 'HeapTrack_alloc' and result in code execution. CVE-2021-27429 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is ( AV:L/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 4.2.18 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Texas Instruments TI-RTOS returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'malloc' and result in code execution. CVE-2021-22636 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is ( AV:L/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 4.2.19 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Texas Instruments devices running FREERTOS, malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'malloc' for FreeRTOS, resulting in code execution. CVE-2021-27504 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is ( AV:L/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 4.2.20 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Texas Instruments TI-RTOS, when configured to use HeapMem heap(default), malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'HeapMem_allocUnprotected' and result in code execution. CVE-2021-27502 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is ( AV:L/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 4.2.21 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Google Cloud IoT Device SDK Version 1.0.2 is vulnerable to heap overflow due to integer overflow in its implementation of calloc, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or code execution. Google PSIRT will assign a CVE. CVSS score will be calculated when a CVE has been assigned. 4.2.22 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Micrium OS Versions 5.10.1 and prior are vulnerable to integer wrap-around in functions Mem_DynPoolCreate, Mem_DynPoolCreateHW and Mem_PoolCreate. This unverified memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as very small blocks of memory being allocated instead of very large ones. CVE-2021-27411 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:L/A:L ). 4.2.23 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Micrium uC/OS: uC/LIB Versions 1.38.xx, 1.39.00 are vulnerable to integer wrap-around in functions Mem_DynPoolCreate, Mem_DynPoolCreateHW and Mem_PoolCreate. This unverified memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as very small blocks of memory being allocated instead of very large ones. CVE-2021-26706 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/ C:N/I:L/A:H ). 4.2.24 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Zephyr Project RTOS versions prior to 2.5 are vulnerable to integer wrap-around sys_mem_pool_alloc function, which can lead to arbitrary memory allocation resulting in unexpected behavior such as a crash or code execution. CVE-2020-13603 has been assigned to this vulnerability. A CVSS v3 base score of 6.9 has been calculated; the CVSS vector string is ( AV:P/AC:H/PR:L/UI:R/S:C/ C:H/I:H/A:H ). 4.2.25 INTEGER OVERFLOW OR WRAPAROUND CWE-190 BlackBerry QNX SDP Versions 6.5.0 SP1 and earlier, QNX OS for Safety Versions 1.0.1 and earlier, QNX OS for Medical Versions 1.1, and other products are vulnerable to integer wrap-around in the calloc( ) C runtime function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or injected code execution. CVE-2021-22156 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:C/ C:H/I:H/A:H ). 4.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Multiple 4.4 RESEARCHER David Atch, Omri Ben Bassat, and Tamir Ariel from Microsoft Section 52, and the Azure Defender for IoT research group reported these vulnerabilities to CISA. 5. MITIGATIONS o Amazon FreeRTOS - Update available o Apache Nuttx OS Version 9.1.0 - Update available o ARM CMSIS-RTOS2 - Update in progress, expected in June o ARM Mbed OS - Update available o ARM mbed-ualloc - no longer supported and no fix will be issued o Blackberry QNX 6.5.0SP1 - Update available . See public advisory o Blackberry QNX OS for Safety 1.0.2 - Update available . See public advisory o Blackberry QNX OS for Medical 1.1.1 - Update available . See public advisory o Cesanta Software mongooses - Update available o eCosCentric eCosPro RTOS: Update to Versions 4.5.4 and newer - Update available o Google Cloud IoT Device SDK - Update available o Media Tek LinkIt SDK - MediaTek will provide the update to users. No fix for free version, as it is not intended for production use. o Micrium OS: Update to v5.10.2 or later - Update available o Micrium uCOS: uC/LIB Versions 1.38.xx, 1.39.00: Update to v1.39.1 - Update available o NXP MCUXpresso SDK - Update to 2.9.0 or later o NXP MQX - update to 5.1 or newer o Redhat newlib - Update available o RIOT OS - Update available o Samsung Tizen RT RTOS - Update available o TencentOS-tiny - Update available o Texas Instruments CC32XX - Update to v4.40.00.07 o Texas Instruments SimpleLink CC13X0 - Update to v4.10.03 o Texas Instruments SimpleLink CC13X2-CC26X2 - Update to v4.40.00 o Texas Instruments SimpleLink CC2640R2 - Update to v4.40.00 o Texas Instruments SimpleLink MSP432E4 - Confirmed. No update currently planned o uClibc-ng - Update available o Windriver VxWorks - Update in progress - --------- Begin Update D Part 1 of 1 --------- o Windriver VxWorks - Update in progress The following devices use Windriver VxWorks as their RTOS: Hitachi Energy RTU500 series CMU - Updates available for some firmware versions. See public advisory . Hitachi Energy Modular Switchgear Monitoring System MSM - Protect your network. See public advisory . - --------- End Update D Part 1 of 1 --------- o Zephyr Project: Update to 2.5 or later . Patches available for prior supported versions. See the Zephyr security advisory for more information. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Apply available vendor updates. o Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYabAH+NLKJtyKPYoAQjx+g//QBO7bGp6VZaW3OoO8PrixUcWifU2gacg tTCxtoUOvC/Ys7xs2f2O+Q2u+vN8nGJC2GklDyKtvnVZq63EwpGVAkAtX0nobfz1 BFPpjCSA2/g48aZLD1wnNMYnUxXCL7gfC3DOqmmAFb8Vbl9grIIUPdGlUVBCv1aQ XISpL5qVVD6/8dbh5Hrmm+HKEqqkqEB5/ta1XSaxfHQj+/lBKYe5Z5qC4iV2FANm I7VtgsfaXjTO/PB2llz2WDkLD7xd2yt1PLzSLuC87dexInvl3sx/ylckq6+7gBBY lG+dXX3G5yPA//N6ga/JFfrx3YGFAEKdc0LUcV1D7nr+NY9RHQH5h2quxbl0MUy2 2yeIG/Se5UKCsEZu4TD/CRgtnS0AIHhAfIAofV0OW9kSx8UUNJP7lNYUiI+Wlfkx Syh7YCvJZYhG268qLbn8atyitPECILBeAk2h8idiOX5ueSx3cg55aITnBJ3f+kWv JjpQyT8U5txCoU64S/WtSacIF0c+1XVKwkDgzTh0zX2KoDEYUccHBfXjAT/kuuCn srUPSvWtuhheSnm6+kvnyDxlEEIMzL8ZSI8Mm14ylajFbsVMOxxFbwrZgoWN6xPz ZH8JFnww5dDSrytSsgsg65AoKB85uiCOb2afJTOZPEvqyO+vxTmtaCd2JM7j05wR eJOYqXdq5S4= =zDI2 -----END PGP SIGNATURE-----