Skip to content

Security advisories

We’re dedicated to secure products and services

Tuxera is committed to delivering reliable, safe, and secure products and services. Security advisories are published to document remediation for potential security issues and vulnerabilities identified with Tuxera products. Tuxera engineers issue a security advisory when mitigation is available, and will not publicly publish any details that could potentially be used to compromise products in order to reduce or eliminate risks. Critical information is disclosed directly to our strategic partners and customers or authorized distributors in a timely manner as required, related to the risk and the scope of the issue. We respect the security considerations of all customers and will not provide advanced details outside of established channels.

Reporting a vulnerability

Potential security risks and vulnerabilities in Tuxera products are managed through a well-defined process. If you have information about a security issue or vulnerability with a Tuxera product, please e-mail security@tuxera.com.

Please provide as much information as possible, including:
• The products and versions affected
• A detailed description of the security flaw or vulnerability
• Information on known exploits and ways to reproduce the vulnerability

A member of Tuxera’s Security Response Team will review your e-mail and get in touch with you for collaborating on addressing the issue.

Advisories list

Security advisories and updates

Each advisory in the table below provides information on known security vulnerabilities relevant to our products and can be used to determine whether a particular patch or upgrade is appropriate.

Please keep in mind that this rating is intended to be used as a guide only. Tuxera reserves the right to change or update the information on this page without notice at any time.

Please be in touch with your technical sales agent or account manager assigned to you in case of questions. You can also reach us at support@tuxera.com.


Advisory ID Product Affected Version Solution/Fixed Version Description Severity Published date Last Updated

HCCSEC-000001

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_tcp – v1.9) and before

v4.3 (Package: in_tcp – v1.12) and later

UDP buffer loss

Important

2021-05-28

2022-01-31

HCCSEC-000002

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_common – v1.15) and before

v4.3 (Package: in_common – v1.20) and above

Duplicate of HCCSEC-000010

Important

2021-05-28

2022-01-31

HCCSEC-000003

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_httpsvr – v1.6) and before

v4.3 (Package: in_httpsvr – v1.7) and above

HTTP heap overflow

Important

2021-05-28

2022-01-31

HCCSEC-000004

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_httpsvr – v1.6) and before

v4.3 (Package: in_httpsvr – v1.7) and above

HTTP heap overflow

Moderate

2021-05-28

2022-01-31

HCCSEC-000005

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_common – v1.15) and before

v4.3 (Package: in_common – v1.20) and above

Duplicate of HCCSEC-000008

Moderate

2021-05-28

2022-01-31

HCCSEC-000006

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_tcp – v1.9) and before

v4.3 (Package: in_tcp – v1.12) and later

DNS cache poisoning weakness

Low

2021-05-28

2022-01-31

HCCSEC-000007

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_common – v1.15) and before

v4.3 (Package: in_common – v1.20) and above

Out-of-bounds read

Important

2021-05-28

2022-01-31

HCCSEC-000008

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_common – v1.15) and before

v4.3 (Package: in_common – v1.20) and above

DNS cache poisoning weakness

Moderate

2021-05-28

2022-01-31

HCCSEC-000009

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_common – v1.15) and before

v4.3 (Package: in_common – v1.20) and above

Out-of-bounds read

Important

2021-05-28

2022-01-31

HCCSEC-000010

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_common – v1.15) and before

v4.3 (Package: in_common – v1.20) and above

Out-of-bounds read/write

Important

2021-05-28

2022-01-31

HCCSEC-000011

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_ipv4 – v1.5) and before

v4.3 (Package: in_ipv4 – v1.6) and above

Integer overflow

Low

2021-05-28

2022-01-31

HCCSEC-000012

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_tcp – v1.9) and before

v4.3 (Package: in_tcp – v1.12) and above

Integer overflow

Low

2021-05-28

2022-01-31

HCCSEC-000013

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_tcp – v1.9) and before

v4.3 (Package: in_tcp – v1.12) and above

Predictable ISNs

Low

2021-05-28

2022-01-31

HCCSEC-000014

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_tcp – v1.9) and before

v4.3 (Package: in_tcp – v1.12) and above

Loop with Unreachable Exit Condition

Important

2021-05-28

2022-01-31

HCCSEC-000015

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_tcp – v1.9) and before

v4.3 (Package: in_tcp – v1.12) and above

Integer overflow

Low

2021-05-28

2022-01-31

HCCSEC-000016

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_tftp – v1.1) and before

v4.3 (Package: in_tftp – v1.2) and above

Read out of bounds

Important

2021-05-28

2022-01-31

HCCSEC-000017

InterNiche Nichestack,
also NicheLite

v4.3 (Package: in_httpsvr – v1.6) and before

v4.3 (Package: in_httpsvr – v1.7) and above

Unnecessary panic triggered

Moderate

2021-05-28

2022-01-31

HCCSEC-000018

InterNiche Nichestack,
also NicheLite

v3.1

v4.3* and above

Segment smack

Important

2021-11-09

2022-01-31

TUXSA-2021-0001

NTFSPROGS

Older versions than NTFSPROGS 3021.4.15.8

Upgrade to NTFSPROGS 3017.7.18.22 or 3021.4.15.8

These vulnerabilities may allow an attacker with both physical access to a device and a maliciously crafted NTFS-formatted USB or other external storage to potentially execute arbitrary code. If the NTFS tool is configured to run automatically when an external storage is plugged into the device, then the code would execute in user space with the same privileges as the NTFS tool used (typically ntfsck) which is usually root. These vulnerabilities result from incorrect validation of some of the NTFS metadata that could potentially cause buffer overflows, which could be exploited by an attacker. Therefore, an attacker needs to have local or physical access to the target to exploit these vulnerabilities. Common ways for attackers to gain physical access to a machine is through social engineering or an evil maid attack on an unattended device.

Moderate

2021-08-30

2021-08-30

TUXSA-2021-0002

NTFSPROGS

Older versions than NTFSPROGS 3021.4.15.8

Upgrade to Tuxera NTFS 3017.7.18.22 or 3021.4.15.8 for QNX, Nucleus, INTEGRITY, Windows Automotive and Linux user space

These vulnerabilities may allow an attacker with both physical access to a device and a maliciously crafted NTFS-formatted USB or other external storage to potentially execute arbitrary code with the same privileges as the NTFS driver when the external storage is plugged into the device. These vulnerabilities result from incorrect validation of some of the NTFS metadata that could potentially cause buffer overflows, which could be exploited by an attacker. Therefore, an attacker needs to have local or physical access to the target to exploit these vulnerabilities. Common ways for attackers to gain physical access to a machine is through social engineering or an evil maid attack on an unattended device.

Moderate

2021-08-30

2021-08-30

TUXSA-2022-0001

NTFSPROGS
Tuxera NTFS

Older versions than NTFS 3021.4.23.18 and NTFSPROGS 3021.4.15.12

Update to NTFS kernel driver 3021.4.23.18 and to NTFSPROGS 3021.4.15.12

These vulnerabilities may allow an attacker with both physical access to a device and a maliciously crafted NTFS-formatted USB or other external storage to potentially execute arbitrary code. These vulnerabilities result from incorrect validation of some of the NTFS metadata that could potentially cause buffer overflows, which could be exploited by an attacker. Therefore, an attacker needs to have local or physical access to the target to exploit these vulnerabilities.

Moderate

2022-10-18

2022-10-18

* InterNiche, Nichestack, and NicheLite is technology from Tuxera Hungary (previously HCC Embedded) – a Tuxera company since 2021. This code is maintained for legacy purposes only.

Suggested content for:

Our products

Your mission-critical systems demand uncompromising reliability. Tuxera products mean absolute data integrity. We specialize in file systems, software flash controllers, and secure networking and connectivity solutions. We are the perfect fit for data-intensive, mission-critical workloads. Using Tuxera’s time-proven solutions means that your data is safe and secure – always.

Proven success

Our solutions are trusted by major brands worldwide. When you need reliable, scalable, and lightening-fast data access and transfer across any system or device, Tuxera delivers. Our track record speaks for itself. We’ve been in this business for decades with a clear mission: to be the partner you can trust. Read on to find out more.

Related pages and blog posts
Technical Articles
Datasheets & Specs
Whitepapers