CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution

Vulnerabilities in the real-time IoT operating system Eclipse ThreadX before version 6.4 could lead to denial-of-service and code execution. The post Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution appeared first on SecurityWeek.

Humanativa Group has published information on several vulnerabilities found in Eclipse ThreadX, a real-time operating system for IoT devices

Previously known as Azure RTOS, the platform was initially developed by Microsoft, which contributed the technology to the Eclipse Foundation in January 2024, where it was rebranded as Eclipse ThreadX.

Designed for devices with limited resources, Eclipse ThreadX is an open source platform for real-time applications and an advanced embedded development suite.

Analyzing the publicly available ThreadX source code, Humanativa Group’s Marco Ivaldi identified multiple vulnerabilities that could lead to memory corruption and which could be exploited to cause denial-of-service (DoS) conditions or to execute arbitrary code.

Tracked as CVE-2024-2214, the first issue is described as a missing array size check that could lead to buffer overflow and memory overwrite.

The second bug, CVE-2024-2212, exists because the FreeRTOS compatibility API in ThreadX is missing parameter checks for two functions, leading to integer wraparounds, under-allocations, and heap buffer overflows.

According to Ivaldi, an attacker able to control the vulnerable functions could cause an integer wraparound, causing the allocation of a small amount of memory, which would lead to heap buffer overflows.

The third flaw, CVE-2024-2452, impacts the Eclipse ThreadX NetX Duo industrial-grade TCP/IP network stack developed specifically for deeply embedded real-time and IoT applications, and could lead to integer wraparounds, under-allocations, and heap buffer overflows.

“If an attacker can control parameters of __portable_aligned_alloc(), [they] could cause an integer wrap-around and an allocation smaller than expected. This could cause subsequent heap buffer overflows,” the researcher explains.

The vulnerabilities were reported to Microsoft and the Eclipse Foundation in December 2023 and January 2024, and were addressed in Eclipse ThreadX version 6.4.0.

However, Humanativa Group also reported additional bugs with security implications, which were not considered vulnerabilities by the ThreadX maintainers, albeit they were considered standard issues that would be addressed with future OS releases, as code improvements.

Related: Critical Veeam Vulnerability Leads to Authentication Bypass

Related: 1,400 GitLab Servers Impacted by Exploited Vulnerability

Related: Vulnerability in R Programming Language Could Fuel Supply Chain Attacks

Latest News

CYBERNEWSMEDIAPublisher