BfArM - Federal Institute for Drugs and Medical Devices

Navigation and service

Critical vulnerabilities in the real-time operating systems of various venders

2021.08.19

The BfArM points out critical vulnerabilities in the real-time operating systems of various venders. Details can be found here:

https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04

Affected products are:

  • Amazon FreeRTOS, Version 10.4.1
  • Apache Nuttx OS, Version 9.1.0
  • ARM CMSIS-RTOS2, versions prior to 2.1.3
  • ARM Mbed OS, Version 6.3.0
  • ARM mbed-ualloc, Version 1.3.0
  • Cesanta Software Mongoose OS, v2.17.0
  • eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
  • Google Cloud IoT Device SDK, Version 1.0.2
  • Linux Zephyr RTOS, versions prior to 2.4.0
  • Media Tek LinkIt SDK, versions prior to 4.6.1
  • Micrium OS, Versions 5.10.1 and prior
  • Micrium uC/OS: uC/LIB Versions 1.38.xx, Version 1.39.00
  • NXP MCUXpresso SDK, versions prior to 2.8.2
  • NXP MQX, Versions 5.1 and prior
  • Redhat newlib, versions prior to 4.0.0
  • RIOT OS, Version 2020.01.1
  • Samsung Tizen RT RTOS, versions prior 3.0.GBB
  • TencentOS-tiny, Version 3.1.0
  • Texas Instruments CC32XX, versions prior to 4.40.00.07
  • Texas Instruments SimpleLink MSP432E4XX
  • Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
  • Uclibc-NG, versions prior to 1.0.36
  • Windriver VxWorks, prior to 7.0
  • Micrium uC/LIB Version 1.38.xx, Version 1.39.00
  • Zephyr Project RTOS, versions prior to 2.5
  • QNX SDP 6.5.0SP1
  • QNX SDP 6.5.0
  • QNX SDP 6.4.1
  • QNX SDP 6.4.0
  • QNX Momentics Development Suite 6.3.2
  • QNX Momentics 6.3.0SP3
  • QNX Momentics 6.3.0SP2
  • QNX Momentics 6.3.0SP1
  • QNX Momentics 6.3.0
  • QNX Momentics 6.2.1b
  • QNX Momentics 6.2.1
  • QNX Momentics 6.2.1A
  • QNX Momentics 6.2.0
  • QNX Realtime Platform 6.1.0a
  • QNX Realtime Platform 6.1.0
  • QNX Realtime Platform 6.0.0a
  • QNX Realtime Platform 6.0.0
  • QNX Cross Development Kit 6.0.0
  • QNX Development Kit (Self-hosted) 6.0.0
  • QNX Cross Development Kit 6.1.0
  • QNX Development Kit (Self-hosted) 6.1.0
  • QNX Neutrino RTOS Safe Kernel 1.0
  • QNX Neutrino RTOS Certified Plus 1.0
  • QNX Neutrino RTOS for Medical Devices 1.0
  • QNX Neutrino RTOS for Medical Devices 1.1
  • QNX OS for Automotive Safety 1.0
  • QNX OS for Safety 1.0
  • QNX OS for Safety 1.0.1
  • QNX Neutrino Secure Kernel 6.4.0
  • QNX Neutrino Secure Kernel 6.5.0
  • QNX CAR Development Platform 2.0RR

Real-time operating systems – especially QNX und VxWorks – are used in many medical devices; therefore, critical vulnerabilities in these operating systems have consequences for these medical devices.

Medical device manufacturers using these operating systems must implement risk mitigation measures based on their updated risk analysis in light of these vulnerabilities.

If these measures correspond to the definition of a field safety corrective action in accordance with article 2 of regulation (EU) 2017/745 (a corrective action taken by a manufacturer for technical or medical reasons to prevent or reduce the risk of a serious incident in relation to a device made available on the market), the measure must be reported to BfArM on the notification form for field safety corrective actions published by BfArM.

In case of questions please contact:

Federal Institute for Drugs and Medical Devices
Medical Devices Division
Kurt-Georg-Kiesinger-Allee 3
53175 Bonn

Telephone: +49 (0)228 99 307-5384 (active medical devices and in vitro diagnostics)
Facsimile: +49 (0)228 99 307-5300
E-Mail: md-vigilance@bfarm.de

Hinweis zur Verwendung von Cookies

Cookies erleichtern die Bereitstellung unserer Dienste. Mit der Nutzung unserer Dienste erklären Sie sich damit einverstanden, dass wir Cookies verwenden. Weitere Informationen zum Datenschutz erhalten Sie über den folgenden Link: Datenschutz

OK