Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
Summary
Security firm runZero has disclosed seven vulnerabilities in FatFs, a widely used filesystem library embedded in millions of devices. These flaws affect a variety of embedded systems, including security cameras, drones, and industrial controllers, due to FatFs' role in reading and writing FAT and exFAT formats.
IFF Assessment
The disclosure of multiple unpatched vulnerabilities in a widely used embedded device library presents a significant risk to many systems, making it bad news for defenders.
Severity
The vulnerabilities are in a widely deployed filesystem library, suggesting a broad attack surface. The potential for remote code execution and data manipulation without authentication, combined with the widespread use in embedded devices which are often harder to patch, justifies a high CVSS score.
Defender Context
Defenders need to be aware of the widespread use of FatFs in embedded devices, as these systems are often difficult to patch and may be vulnerable to attacks exploiting these newly disclosed flaws. Organizations should prioritize identifying and securing devices that rely on this filesystem library.