Humanativa Group has published information on several vulnerabilities found in Eclipse ThreadX, a real-time operating system for IoT devices
Previously known as Azure RTOS, the platform was initially developed by Microsoft, which contributed the technology to the Eclipse Foundation in January 2024, where it was rebranded as Eclipse ThreadX.
Designed for devices with limited resources, Eclipse ThreadX is an open source platform for real-time applications and an advanced embedded development suite.
Analyzing the publicly available ThreadX source code, Humanativa Group’s Marco Ivaldi identified multiple vulnerabilities that could lead to memory corruption and which could be exploited to cause denial-of-service (DoS) conditions or to execute arbitrary code.
Tracked as CVE-2024-2214, the first issue is described as a missing array size check that could lead to buffer overflow and memory overwrite.
The second bug, CVE-2024-2212, exists because the FreeRTOS compatibility API in ThreadX is missing parameter checks for two functions, leading to integer wraparounds, under-allocations, and heap buffer overflows.
According to Ivaldi, an attacker able to control the vulnerable functions could cause an integer wraparound, causing the allocation of a small amount of memory, which would lead to heap buffer overflows.
The third flaw, CVE-2024-2452, impacts the Eclipse ThreadX NetX Duo industrial-grade TCP/IP network stack developed specifically for deeply embedded real-time and IoT applications, and could lead to integer wraparounds, under-allocations, and heap buffer overflows.
“If an attacker can control parameters of __portable_aligned_alloc(), [they] could cause an integer wrap-around and an allocation smaller than expected. This could cause subsequent heap buffer overflows,” the researcher explains.
The vulnerabilities were reported to Microsoft and the Eclipse Foundation in December 2023 and January 2024, and were addressed in Eclipse ThreadX version 6.4.0.
However, Humanativa Group also reported additional bugs with security implications, which were not considered vulnerabilities by the ThreadX maintainers, albeit they were considered standard issues that would be addressed with future OS releases, as code improvements.
Related: Critical Veeam Vulnerability Leads to Authentication Bypass
Related: 1,400 GitLab Servers Impacted by Exploited Vulnerability
Related: Vulnerability in R Programming Language Could Fuel Supply Chain Attacks
