Researchers from NCC Group free project audit results , a real-time operating system (RTOS) aimed at equipping devices that correspond to the concept of the Internet of Things (IoT, Internet of Things). The audit revealed in Zephyr and 1 vulnerability in MCUboot. Zephyr is being developed with the participation of Intel companies.
In total, 6 vulnerabilities were identified in the network stack, 4 in the kernel, 2 in the command shell, 5 in system call handlers, 5 in the USB subsystem, and 3 in the firmware update mechanism. Two problems are assigned a critical severity level, two - high, 9 - moderate, 9 - low and 4 - for consideration. Critical issues affect the IPv4 stack and the MQTT parser, dangerous ones affect the USB mass storage and USB DFU drivers. At the time of disclosure, fixes were prepared only for the 15 most dangerous vulnerabilities, while problems leading to a denial of service or related to flaws in the mechanisms of additional protection of the kernel remain unpatched.
A remotely exploited vulnerability has been identified in the platform's IPv4 stack that leads to memory corruption when processing specially modified ICMP packets. Another serious problem was found in the MQTT protocol parser, which is caused by the lack of a proper check for the length of fields in the header and can lead to remote code execution. Less severe denial of service issues are found in the IPv6 stack and implementation of the CoAP protocol.
Other problems can be exploited locally to cause a denial of service or code execution at the kernel level. Most of these vulnerabilities are related to the lack of proper checking of system call arguments, and can lead to writing and reading arbitrary areas of kernel memory. The problems also extend directly to the system call handling code - a call to a negative system call number leads to an integer overflow. The kernel also identified problems in the implementation of ASLR protection (address space randomization) and the mechanism for setting canary marks on the stack, making these mechanisms inefficient.
Many issues affect the USB stack and individual drivers. For example, a problem in USB mass storage allows you to cause a buffer overflow and execute kernel-level code when a device is connected to a controlled attacking USB host. A vulnerability in USB DFU, a driver for loading new firmware via USB, allows loading a modified firmware image into the internal Flash of the microcontroller without using encryption and bypassing the secure boot mode with digital signature verification of components. Additionally, the code of the open loader was studied , in which one benign vulnerability was found,
which can lead to a buffer overflow when using SMP (Simple Management Protocol) via UART.
Recall that in Zephyr, only one globally shared virtual address space (SASOS, Single Address Space Operating System) is provided for all processes. The application-specific code is combined with the application-specific kernel to form a monolithic executable to be loaded and run on specific hardware. All system resources are determined at compile time, which reduces code size and improves performance. Only those kernel features that are required to run the application can be included in the system image.
It is noteworthy that among the key advantages of Zephyr development with security in mind. that all stages of development go through the mandatory stages of confirming the safety of the code: fuzzing testing, static analysis, penetration testing, code review, backdoor injection analysis and threat modeling.
Source: opennet.ru