Recently, Microsoft’s Section 52, the Azure Defender for IoT security research group, uncovered critical memory allocation vulnerabilities in real-time operating systems that adversaries could exploit to bypass security controls, called "BadAlloc". In the original ICS advisory, filed with the US Cybersecurity & Infrastructure Security Agency, the problem was also reported for CMSIS-RTOS v2 API.
Arm takes vulnerabilities very seriously and we work across the industry on security and safety topics, such as the Platform Security Architecture that aims to make IoT devices overall more secure. Our engineers took a closer look at the reported issue and applied a patch that overcomes the problem.
The patch has been released today and users of the CMSIS-RTOS v2 based Keil RTX5 need to be aware of the following:
Currently, we are working on the next release of our FuSa RTS (v1.1) that is based on Keil RTX5. This release already contains this patch so that users of our functional safety qualified run-time system can ensure that their applications are safe and secure.
Review the patch on GitHub