Security researchers at Microsoft have discovered more than two dozen critical remote code execution (RCE) vulnerabilities in the Internet of Things (IoT) devices and Operational Technology (OT) industrial systems.
This set of 25 security flaws are known as BadAlloc. These flaws are generally caused by memory allocation Integer Overflow or Wraparound bugs.
Threat actors can exploit these critical security vulnerabilities to trigger system crashes and thereby execute malicious code remotely on vulnerable IoT and OT systems.
The vulnerabilities were discovered by Microsoft’s researchers in standard memory allocation functions widely utilized in several Real-Time Operating Systems (RTOS), C standard library (libc) implementations, and embedded software development kits (SDKs).
Microsoft Security Response Center team said that their research reveals that memory allocation implementation written throughout the years as part of IoT devices and embedded software have not included appropriate input validations.
Additionally, the SRC team said that without having these input validations in the first place, an attacker could abuse the memory application function to perform a heap overflow, thereby resulting in the execution of malicious code on a target device.
Table of Contents
Devices Vulnerable to BadAlloc Attacks (List)
Vulnerable OT and IoT devices affected by the BadAlloc vulnerabilities can be found on medical, consumer and industrial networks.
The complete list of devices impacted by BadAlloc incorporates (you can find the links to patches in CISA’s advisory):
- Amazon FreeRTOS, Version 10.4.1
- Apache Nuttx OS, Version 9.1.0
- ARM CMSIS-RTOS2, versions prior to 2.1.3
- ARM Mbed OS, Version 6.3.0
- ARM mbed-uallaoc, Version 1.3.0
- Cesanta Software Mongoose OS, v2.17.0
- eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
- Google Cloud IoT Device SDK, Version 1.0.2
- Linux Zephyr RTOS, versions prior to 2.4.0
- Media Tek LinkIt SDK, versions prior to 4.6.1
- Micrium OS, Versions 5.10.1 and prior
- Micrium uCOS II/uCOS III Versions 1.39.0 and prior
- NXP MCUXpresso SDK, versions prior to 2.8.2
- NXP MQX, Versions 5.1 and prior
- Redhat newlib, versions prior to 4.0.0
- RIOT OS, Version 2020.01.1
- Samsung Tizen RT RTOS, versions prior 3.0.GBB
- TencentOS-tiny, Version 3.1.0
- Texas Instruments CC32XX, versions prior to 4.40.00.07
- Texas Instruments SimpleLink MSP432E4XX
- Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
- Uclibc-NG, versions prior to 1.0.36
- Windriver VxWorks, prior to 7.0
How to Mitigate BadAlloc Vulnerability?
The BadAlloc Vulnerability was discovered and reported to CISA and the vendors who were affected by these vulnerabilities by security researchers David Atch, Omri Ben Bassat, and Tamir Ariel from Microsoft’s ‘Section 52’ Azure Defender for IoT research group.
To minimize the risk of exploitation from this security vulnerability, CISA suggests organizations using devices vulnerable to BadAlloc attaks to:
- Apply the available vendor updates
- Reduce the network exposure for all control system devices and or systems and make sure that they can’t be accessed from the internet.
- Track down the control system networks and remote devices behind firewalls and keep them away from the business network.
- When remote access is needed, make use of secure methods, like Virtual Private Networks (VPNs). Ensure that your VPN remains updated to the most recent version available.
If vulnerable devices can’t be patched immediately, Microsoft suggests:
- Minimize the attack surface by limiting or omitting exposure of the vulnerable device to the internet;
- Implement network security monitoring to detect behavioral indicators of compromise;
- Strengthening network segmentation to secure critical assets.
CISA likewise offers control systems security recommended practices and a technical information paper on Targeted Cyber Intrusion Detection and Mitigation Strategies.
Meanwhile, Microsoft hasn’t detected any exploitation of the BadAlloc in the wild. CISA asks organizations to report any malicious activity targeting them for simpler tracking.
The National Security Agency (NSA) published a security advisory on assessing IT and OT connection risks and limiting and identifying malicious activities.
Are you seeking more security updates? Subscribe to our newsletter for the latest Security News right from the security and research industries.
Additionally, you can also find the latest Web Hosting News here!