CVE-2024-38373: FreeRTOS-Plus-TCP Flaw Exposes Millions of IoT Devices to Critical Risk
A critical vulnerability (CVE-2024-38373) has been discovered in FreeRTOS-Plus-TCP, a popular TCP/IP stack widely used in Internet of Things (IoT) devices and embedded systems. This high-severity flaw, assigned a CVSS score of 9.6, could enable attackers to remotely execute malicious code, potentially compromising the security and integrity of millions of connected devices.
Understanding FreeRTOS-Plus-TCP
FreeRTOS-Plus-TCP is a lightweight TCP/IP stack designed for the FreeRTOS operating system. It offers a familiar Berkeley sockets interface, making it accessible and easy to integrate for developers. The stack is highly scalable, catering to both smaller, low-throughput microcontrollers and larger, high-throughput microprocessors, making it a versatile solution for a wide range of applications.
The Buffer Over-Read Bug: A Gateway for Remote Attacks
The vulnerability resides in the DNS Response Parser component of FreeRTOS-Plus-TCP versions 4.0.0 through 4.1.0. It allows attackers to craft malicious DNS responses that trigger a buffer over-read condition, effectively granting them control over the device’s memory. This, in turn, could lead to arbitrary code execution, enabling attackers to install malware, steal sensitive data, or disrupt critical operations.
Renowned security researcher Jamie Davis has been credited with identifying and reporting this vulnerability.
Widespread Impact: Millions of IoT Devices at Risk
FreeRTOS-Plus-TCP is a widely adopted TCP/IP stack, powering countless IoT devices ranging from smart home gadgets and industrial sensors to medical equipment and critical infrastructure systems. The potential impact of this vulnerability is vast, putting millions of devices at risk of compromise.
Immediate Action Required: Update to FreeRTOS-Plus-TCP 4.1.1
To address this critical issue, the FreeRTOS development team has released patches in FreeRTOS-Plus-TCP versions 4.1.1 and later. Users and developers are strongly encouraged to update to these versions to mitigate potential risks associated with CVE-2024-38373.
