Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Vulnerability discovered in Micro-Controller Operating System

Target Industry 

Indiscriminate, opportunistic targeting. 

Overview  

A security vulnerability has been disclosed pertaining to the FTP server of the Micro-Controller Operating System (µC/OS). The flaw, tracked as CVE-2022-41985(CVSSv3 Score: 8.6 – High) relates to an authentication-bypass issue that can also lead to a denial-of-service (DoS) within affected products. 

Impact  

Successful exploitation of CVE-2022-41985 could allow a threat actor to bypass the authentication protocol on µC/OS or cause a DoS condition. As such, a threat actor could bypass the security mechanism of the vulnerable products, resulting in the compromise of the confidentiality and integrity of data.  

Affected Products 

– Weston Embedded uC-FTPs 1.98.00 

Containment, Mitigations & Remediations 

It is strongly recommended that users apply the affected product to the latest version. 

Indicators of Compromise 

No specific Indicators of Compromise (IoCs) are available currently. 

Threat Landscape 

The Micro-Controller Operating System occupies a reasonable portion of the operating system market share and is used commonly within the following industry sectors: 

– Health 

– Aerospace 

– Automotive 

– Technology  

Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, it is possible that µC/OS products could emerge as prime targets.  Due to the fact that the associated products are an integral aspect of business operations within the sectors mentioned above, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein. 

Threat Group 

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies 

Common Weakness Enumeration: 

CWE-303 – Incorrect Implementation of Authentication Algorithm 

Further Information 

CVE Report 

Talos Intelligence Blog

Intelligence Terminology Yardstick