Vulnerability Note VU#590639

The NXP Semiconductors MQX real-time operating system (RTOS) prior to version 5.1 is vulnerable to the following:

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2017-12718

The RTCS DHCP client for MQX version 5.0 fails to sanitize lengths for DHCP options 66 and 67. A remote attacker sending crafted DHCP packets utilizing options 66 and 67 may gain control of the length passed to memcpy, which may allow overwriting memory with a function pointer and privileged arbitrary code execution on all devices that have MQX RTCS networking support and DHCP enabled.

CWE-125: Out-of-bounds Read - CVE-2017-12722

The DNS client for MQX prior to version 4.2 fails to properly handle sizes in corrupt DNS packets, resulting in an out-of-bounds read. A remote attacker sending crafted DNS packets may cause an out-of-bounds read condition, resulting in a denial of service.

ICS-CERT has also released an advisory with further information on vulnerable products.

A remote, unauthenticated attacker may be able to send crafted DHCP or DNS packets to cause a buffer overflow and/or corrupt memory, leading to denial of service or code execution on the device.

Apply an update/patch

CVE-2017-12722 only affects MQX version 4.1 or prior. Affected users are encouraged to update to version 4.2 or later as soon as possible.

A patch is available for CVE-2017-12718 for users of MQX version 5.0. Affected users may contact NXP support at <mqxsales@nxp.com> for details.

MQX version 5.1 will fully address these issues, but is not expected to be released until 2018Q1.