The Synopsys Cybersecurity Research Center (CyRC) recently uncovered critical vulnerabilities in Zephyr OS, a real-time operating system commonly utilized in IoT and embedded devices, exposing them to IP spoofing attacks and potential denial-of-service (DoS) vulnerabilities. Zephyr OS, known for its customizability and broad compatibility with various architectures, incorporates a versatile network stack supporting IPv4 and IPv6 protocols for seamless networking among connected devices.
The identified flaw in Zephyr OS pertains to its susceptibility to IP address spoofing, where malicious actors can craft IP packets with falsified source addresses to deceive recipients. This vulnerability arises from Zephyr OS’s failure to drop IP packets with local host or destination source addresses from external interfaces, bypassing critical IP-based access control mechanisms. Consequently, devices are left vulnerable to unauthorized access and potential data manipulation, alongside the risk of DoS attacks through overwhelmed loopback interfaces.
The affected Zephyr OS versions, including v.3.5, v.3.4, and 2.7 LTS, have patches available in the main branch and specific release branches to address these vulnerabilities efficiently. The discovery of these vulnerabilities, credited to Senior Software Engineer Kari Hulkko at CyRC, underscores the critical role of robust security testing measures like Defensics® fuzz testing tool in identifying potential threats.
Synopsys’ acknowledgment of the Zephyr OS team’s prompt response and collaboration in resolving these vulnerabilities highlights the importance of coordinated efforts between cybersecurity researchers and software developers in ensuring the integrity and security of connected devices. As the prevalence of IoT and embedded devices increases, prioritizing proactive security measures remains paramount in mitigating risks associated with operating system vulnerabilities.
