“Where there is parsing, there are bugs.”
— Dr. Silvio Cesare

Summary

RIOT is a free, open-source, real-time operating system developed by a grassroots community gathering companies, academia, and hobbyists, distributed all around the world. It supports most low-power IoT devices, microcontroller architectures (32-bit, 16-bit, 8-bit), and external devices. RIOT aims to implement all relevant open standards supporting an Internet of Things that is connected, secure, durable, and privacy-friendly.

I reviewed RIOT’s source code hosted on GitHub and identified multiple security vulnerabilities that may cause memory corruption. Their impacts range from denial of service to potential arbitrary code execution.

My detailed advisory is available at https://github.com/hnsecurity/vulns/blob/main/HNS-2024-07-riot.txt.

Background

Continuing my recent vulnerability research work in the IoT space, I keep assisting open-source projects in finding and fixing security vulnerabilities by reviewing their source code, with the final goal to make IoT more secure. In January 2024, RIOT was selected as a target of interest.

During the source code review, I put my Semgrep C/C++ ruleset and weggli pattern collection to good use to identify hotspots in code on which to focus my attention. By the way, I have a recent addition in my toolbelt that is greatly improving my static analysis workflow: SARIF Explorer by Trail of Bits. Highly recommended!

Triaging static analysis results is now easier with our VSCode extension SARIF explorer. https://t.co/P1UmyCuMyq pic.twitter.com/lePKpwHsc6

— Trail of Bits (@trailofbits) March 20, 2024

Vulnerabilities

The vulnerabilities resulting from my source code review are:

• CVE-2024-31225 – Lack of size check and buffer overflow in RIOT cord.
• CVE-2024-32017 – Buffer overflows in RIOT GCoAP.
• CVE-2024-32018 – Ineffective size check due to assert() and buffer overflow in RIOT NimBLE.
• GHSA-x3j5-hfrr-5x6q – Unsafe use of the return value of vsnprintf() and out-of-bounds memory access in RIOT ESP.
• GHSA-pw2r-pp35-xfmj – Ineffective size check due to assert() and buffer overflow in RIOT BLE.
• GHSA-c4p4-vv7v-3hx8 – Ineffective size check due to assert() and buffer overflow in RIOT SUIT.
• GHSA-r87w-9vw9-f7cx – Integer wraparound and buffer overflow in RIOT mtd_emulated.
• GHSA-2hx7-c324-3rxv – Off-by-one buffer overflow and unterminated string in RIOT lwext4.
• GHSA-frp5-4gfp-84j3 – Unsafe use of the return value of snprintf() and out-of-bounds memory access in RIOT shell
• GHSA-x27v-gqp4-7jq3 – Lack of size checks and buffer overflows in RIOT emCute

For additional information about these vulnerabilities and their fixes, please refer to the detailed advisory.

It took me about 16 hours to complete the code review, not counting the time spent in the disclosure process.

Disclosure and fixes

I reported the vulnerabilities discussed in this advisory to RIOT maintainers in January 2024, via the handy private reporting feature that is available on GitHub. I’m not sure of the reason of the significant delay in the initial maintainers’ response. However, once I got their attention they quickly triaged and fixed all vulnerabilities (with the exception of GHSA-x27v-gqp4-7jq3 that is currently being discussed publicly because it’s not considered security critical). They also informed me that:

• They are treating such delay as an additional security incident.
• They added another maintainer to the security group as an immediate action.
• They plan on discussing this shortcoming on the next maintainer assembly to find a long-term solution.

The coordinated disclosure timeline follows:

• 2024-01-10: reported the first vulnerability to the RIOT project.
• 2024-01-11: reported four more vulnerabilities.
• 2024-01-12: reported the rest of the vulnerabilities.
• 2024-02-09: asked for feedback on <[email protected]>.
• 2024-03-05: asked again for feedback on <[email protected]>.
• 2024-04-05: asked again for feedback via GitHub and got the first reply.
• 2024-04-06: started collaborating with RIOT to evaluate proposed fixes.
• 2024-04-10: First security advisory published on GitHub.
• 2024-04-17: Another security advisory published on GitHub.
• 2024-04-24: Asked for a status update on the remaining reports.
• 2024-04-25: Two more security advisories published on GitHub.
• 2024-04-26: Another security advisory published on GitHub.
• 2024-04-30: Three more security advisories published on GitHub.
• 2024-05-07: Published advisory and writeup.

Acknowledgments

I would like to thank RIOT maintainers for triaging and fixing the reported vulnerabilities in a particularly friendly and professional way. I really appreciated working with them!