Flaws in software run by a range of microprocessors could be widespread in embedded systems, security experts and the Department of Homeland Security are warning.



A serious security hole in software that runs millions of embedded systems could leave them open to remote hacking, the Department of Homeland Security warns.

The MQX real time operating system (or RTOS) from the firm NXP Semiconductors has a serious and remotely exploitable hole that could allow an attacker to take control over a wide range of embedded devices using a trivial software based attack, the Department of Homeland Security Industrial Control System Cyber Emergency Response Team (ICS-CERT) warned in an Advisory issued October 12.

MQX is a common operating system on embedded systems that use a wide range of micro controllers by the firm NXP. They include a wide range of industrial control equipment. Exploitation of these vulnerabilities may allow a remote attacker to cause a buffer overflow condition that may, in turn, cause remote code execution or out-of-bounds read conditions, resulting in a denial of service.

MQX is used by NXP ColdFire micro controllers, a common component of embedded devices including industrial control systems used in power plants and water treatment facilities, according to Billy Rios, the founder and CEO of the firm Whitescope. It is also the operating system used by a wide range of other micro controllers including Kinetis, i.MX processors, and Vybrid model processors.

The devices are the brains of a wide range of embedded devices – from small to mid range routers and switches to more specialized products and Internet of Things devices said Deral Heiland, the research lead for Internet of Things technology at the firm Rapid 7. Heiland said he has come across both ColdFire and iMX processors in his research on Internet of Things devices.

The vulnerabilities in MQX were discovered by the security researcher Scott Gayou, a security engineer at the firm Garmin. They include a buffer overflow vulnerability in MQX’s DHCP (dynamic host configuration protocol) client. That could allow a malicious DHCP packet to allow memory on the device to be overwritten with – for example – malicious code or commands. That flaw affects devices running MQX Version 5.0 and earlier. A second vulnerability in the DNS (domain name system) client for MQX could allow attacker to use a specially crafted DNS packet to cause memory to be read out of bounds, causing the device to crash. That flaw affects devices running MQX Version 4.1 and prior.

Heiland said the DNS vulnerability is the less dangerous of the two, as it would only be used for a so-called “denial of service” attack against vulnerable devices. The DHCP vulnerability is much more serious, especially since embedded devices typically have fewer built in protections than modern operating systems against buffer overflow attacks. “You’d have to dig into the specifics of each processor to see if they have any protections like address space randomization, but they often don’t exist in embedded devices,” he said. That makes buffer overflows – an older class of attacks – quite potent on those devices.

Devices running vulnerable versions of MQX could only be remotely hacked if they were reachable by the public Internet and were listening for DHCP communications – a dangerous scenario, but not out of the question, Heiland said. MQX includes a web server client and a search of the Internet reveals about 1,600 MQX devices that are publicly accessible. The bigger danger, said Heiland, may be devices that are not publicly addressable, but that can serve as stepping stones or staging platforms for attackers who already have access to a sensitive corporate environment.

“If you’re an attacker who has gained a foothold on a network, you know they’re monitoring Windows and Mac and Linux. But you can be pretty sure they’re not monitoring their embedded devices,” Heiland said. “So these devices are potential entry and exit points someone can leverage.”

NXP is planning to release a fix for MQX (Version 5.1) by January, 2018, ICS CERT said. The company recommends applying a “code modification” to devices running version 5.0. That modification can be obtained from the company. Users of Version 4.1 of MQX can upgrade to version 4.2 or 5.0 of MQX to remove the out-of-bounds read vulnerability that leaves devices vulnerable to the denial of service attacks.