Privilege Escalation in FreeRTOS Kernel ARMv7-M MPU ports and ARMv8-M ports with MPU support enabled

Vulnerability

FreeRTOS Kernel versions through 10.6.1 on ARMv7-M MPU ports and ARMv8-M ports with MPU support enabled (configENABLE_MPU set to 1) do not sufficiently protect against local privilege escalation via Return Oriented Programming techniques [1]. This impacts systems where an attacker has already achieved code injection and execution, but remains confined to unprivileged mode by the MPU. The flaw is addressed in version 10.6.2 with a new MPU wrapper [1][2].

Exploitation

An attacker must first gain the ability to inject and execute arbitrary code in an unprivileged context on an affected ARMv7-M or ARMv8-M MPU-based system [1]. Using Return Oriented Programming (ROP), the attacker can chain gadgets to bypass the MPU’s memory protections and escalate privilege to supervisor or kernel level. No additional user interaction beyond the initial code execution is required; the attacker controls the sequence of ROP gadgets [1].

Impact

Successful exploitation allows the attacker to elevate privileges from an unprivileged task to a privileged context, potentially achieving arbitrary read/write of kernel memory and full control over the FreeRTOS kernel [1]. This undermines the isolation provided by the MPU, enabling further compromise of the device.

Mitigation

Update to FreeRTOS Kernel version 10.6.2 released on November 29, 2023, which introduces a new MPU wrapper with an Access Control List (ACL) feature and hardened system call handling [1][2]. No workaround is available for systems that cannot upgrade; affected users should apply the updated kernel immediately [1].