The NXP Semiconductors MQX RTOS prior to version 5.1 contains a buffer overflow in the DHCP client, which may lead to memory corruption allowing an attacker to execute arbitrary code, as well as an out of bounds read in the DNS client which may lead to a denial of service.
The NXP Semiconductors MQX real-time operating system (RTOS) prior to version 5.1 is vulnerable to the following:
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2017-12718
A remote, unauthenticated attacker may be able to send crafted DHCP or DNS packets to cause a buffer overflow and/or corrupt memory, leading to denial of service or code execution on the device.
Apply an update/patch
NXP Semiconductors Inc.
Thanks to Scott Gayou for reporting this vulnerability.
This document was written by Garret Wassermann.