FreeRTOS-Plus-TCP Integer Underflow Vulnerability in ICMP Echo Reply Handling Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in FreeRTOS-Plus-TCP versions 4.0.0 through 4.2.5 and 4.3.0 through 4.4.0. The issue arises from an integer underflow in the ICMP and ICMPv6 echo reply handlers. When outgoing ping support is enabled, an adjacent network user can cause a device crash. This occurs because header sizes are subtracted from a packet length field without proper validation, leading to a heap out-of-bounds read of up to approximately 65KB. The vulnerability can be exploited when the default IP header validation is bypassed, causing devices with memory protection to crash.

Impact

Exploitation of this vulnerability causes a device crash, leading to a denial-of-service condition. On devices with memory protection, the crash occurs due to the out-of-bounds read being compared locally, rather than being transmitted.

Remediation

Users should upgrade to FreeRTOS-Plus-TCP versions 4.2.6 or 4.4.1, and ensure any forked or derivative code is patched to incorporate the new fixes. Instructions for downloading these versions are available on the FreeRTOS GitHub Releases page.