CVE-2021-27417: eCosCentric eCosPro RTOS Integer Overflow or Wraparound
First published: Tue May 03 2022(Updated: )
eCosCentric eCosPro RTOS Versions 2.0.1 through 4.5.3 are vulnerable to integer wraparound in function calloc (an implementation of malloc). The unverified memory assignment can lead to arbitrary memory allocation, resulting in a heap-based buffer overflow.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| eCosCentric eCosPro RTOS | >=2.0.1<=4.5.3 | |
| Amazon FreeRTOS | ||
| Apache NuttX | ||
| ARM CMSIS-RTOS2 | ||
| Arm Mbed OS | ||
| Arm Mbed ualloc | ||
| QNX | ||
| BlackBerry QNX OS for Safety | ||
| BlackBerry QNX OS for Medical | ||
| QNX | ||
| Mongoose OS | ||
| eCosCentric eCosPro RTOS | ||
| Google Cloud IoT Device SDK | ||
| MediaTek LinkIt SDK | ||
| Micrium OS | ||
| Micrium uC/OS | ||
| NXP MCUXpresso SDK | ||
| NXP MQX | ||
| newlib | ||
| RIOT OS | ||
| Samsung Tizen RT | ||
| TencentOS-tiny | ||
| Texas Instruments SimpleLink CC32XX | ||
| Texas Instruments SimpleLink MSP432E4 SDK | ||
| Texas Instruments SimpleLink CC13X2 SDK | ||
| Texas Instruments SimpleLink CC26XX | ||
| Texas Instruments SimpleLink CC32XX | ||
| uClibc | ||
| Wind River VxWorks | ||
| Zephyr Project RTOS |
Remedy
Update eCosCentric eCosPro RTOS to version 4.5.4 or newer – Update available
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-27417?
CVE-2021-27417 has a high severity due to its potential for heap-based buffer overflow leading to arbitrary code execution.
How do I fix CVE-2021-27417?
To mitigate CVE-2021-27417, update the affected software versions to the latest patches provided by the vendors.
Which software is affected by CVE-2021-27417?
CVE-2021-27417 affects multiple RTOS products, including eCosCentric eCosPro, Amazon FreeRTOS, and ARM Mbed OS among others.
What happens if CVE-2021-27417 is exploited?
Exploitation of CVE-2021-27417 can allow an attacker to execute arbitrary code on the affected system due to improper memory allocation.
Is CVE-2021-27417 exploitability tested?
Yes, CVE-2021-27417 has been assessed and found to be relatively easy to exploit, increasing the urgency for remediation.
- agent/weakness
- agent/type
- agent/author
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/severity
- agent/last-modified-date
- agent/remedy
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- vendor/ecoscentric
- canonical/ecoscentric ecospro rtos
- version/ecoscentric ecospro rtos/2.0.1
- version/ecoscentric ecospro rtos/4.5.3
- vendor/multiple
- canonical/amazon freertos
- canonical/apache nuttx
- canonical/arm cmsis-rtos2
- canonical/arm mbed os
- canonical/arm mbed ualloc
- canonical/qnx
- canonical/blackberry qnx os for safety
- canonical/blackberry qnx os for medical
- canonical/mongoose os
- canonical/google cloud iot device sdk
- canonical/mediatek linkit sdk
- canonical/micrium os
- canonical/micrium uc/os
- canonical/nxp mcuxpresso sdk
- canonical/nxp mqx
- canonical/newlib
- canonical/riot os
- canonical/samsung tizen rt
- canonical/tencentos-tiny
- canonical/texas instruments simplelink cc32xx
- canonical/texas instruments simplelink msp432e4 sdk
- canonical/texas instruments simplelink cc13x2 sdk
- canonical/texas instruments simplelink cc26xx
- canonical/uclibc
- canonical/wind river vxworks
- canonical/zephyr project rtos