CVE-2019-13120

Name of the Vulnerable Software and Affected Versions Amazon FreeRTOS versions up to and including 1.4.8

Description The issue is related to a lack of length checking in the prvProcessReceivedPublish function, which can lead to the untargetable leakage of arbitrary memory contents on a device to an attacker. This can occur if an attacker sends a malformed MQTT publish packet to an Amazon IoT Thing that interacts with a vulnerable MQTT message in the application, under specific circumstances.

Recommendations For Amazon FreeRTOS versions up to and including 1.4.8, consider restricting access to the prvProcessReceivedPublish function until a patch is available. As a temporary workaround, avoid using the vulnerable function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.