SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-381523530] NXP Semiconductors MQX RTOS

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-10-12OtherNXP SemiconductorsScott Gayou identified and coordinated these vulnerabilities with NXP, CERT/CC, and ICS-CERT. N/ACVE-2017-1271 CVE-2017-1272 N/AN/AN/A

Source

						
							
								
#
# NXP Semiconductors MQX RTOS
#


### VULNERABLE VENDOR
NXP Semiconductors


### VULNERABLE PRODUCT
MQX RTOS



### RESEARCHER
Scott Gayou identified and coordinated these vulnerabilities with NXP, CERT/CC, and ICS-CERT.



### AFFECTED PRODUCTS

The following versions of MQX Real-Time Operating System (RTOS) are used in NXP's ColdFire microcontrollers, Kinetis microcontrollers, i.MX processors, and Vybrid processors, which are affected by the vulnerabilities listed below.
Versions susceptible to Classic Buffer Overflow Vulnerability:

MQX RTOS, Version 5.0 and prior versions, and
Versions susceptible to Out-of-Bounds Read Vulnerability:

MQX RTOS, Version 4.1 and prior versions.



### IMPACT

Successful exploitation of these vulnerabilities may allow a remote attacker to cause a buffer overflow condition that may, in turn, cause remote code execution or out-of-bounds read conditions, resulting in a denial of service.



### VULNERABILITY OVERVIEW

BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW') CWE-120
The Real-Time TCP/IP Communications Suite (RTCS) in MQX's DHCP client fails to sanitize all inputs, which may allow maliciously crafted DHCP packets to cause memory to be overwritten, allowing remote code execution.
CVE-2017-12718 has been assigned to this vulnerability.
A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)


OUT-OF-BOUNDS READ CWE-125
The DNS client for MQX fails to bounds check DNS response parameters, which may allow maliciously crafted DNS packets to cause memory to be read out-of-bounds, resulting in a denial of service.
CVE-2017-12722 has been assigned to this vulnerability.
A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)





### BACKGROUND

Critical Infrastructure Sectors: Communications, Critical Manufacturing, Healthcare and Public Health, and Transportation
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Eindhoven, Netherlands




### MITIGATION

NXP is planning to release a product fix for MQX, Version 5.1, by January 2018, which will address both vulnerabilities. Until the product fix can be applied, NXP recommends that users consider implementing the following interim mitigations to limit the risk of exploitation of the identified vulnerabilities:

For MQX users running Version 5.0, NXP has produced a code modification that can be applied prior to the release of Version 5.1. Users can contact NXP directly via email at MQXsales@NXP.com


to get additional information.

For MQX users running Version 4.1 and prior versions, NXP recommends that users update to Version 4.2 or Version 5.0, which do not contain the out-of-bounds read vulnerability.