Security researchers from Microsoft have discovered a collection of vulnerabilities dubbed “BadAlloc” that affect a broad range of IoT and OT devices in industrial, medical and consumer sectors.
According to the new report posted by Microsoft’s Section 52, the Azure Defender for IoT security research group, more than 25 critical memory allocation vulnerabilities impact Internet of Things (IoT) and Operational Technology (OT) devices, as well as industrial control systems.
“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds. To date, Microsoft has not seen any indications of these vulnerabilities being exploited. However, we strongly encourage organizations to patch their systems as soon as possible,” the Microsoft Section 52 team warned in the blog post.
Microsoft’s Section 52 team assigned the name “BadAlloc” to a class of memory overflow vulnerabilities that is embedded in IoT and OT operating systems and software. Moreover, these flaws relate to the usage of vulnerable memory functions, such as malloc, calloc, realloc, memalign, valloc and pvalloc.
“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device,” Microsoft said.
For a full list of BadAlloc vulnerabilities, please check out the Department of Homeland Security (DHS) security advisory with links to relevant CVEs and more details.
A full list of impacted products include:
- Amazon FreeRTOS, Version 10.4.1
- Apache Nuttx OS, Version 9.1.0
- ARM CMSIS-RTOS2, versions prior to 2.1.3
- ARM Mbed OS, Version 6.3.0
- ARM mbed-uallaoc, Version 1.3.0
- Cesanta Software Mongoose OS, v2.17.0
- eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
- Google Cloud IoT Device SDK, Version 1.0.2
- Linux Zephyr RTOS, versions prior to 2.4.0
- Media Tek LinkIt SDK, versions prior to 4.6.1
- Micrium OS, Versions 5.10.1 and prior
- Micrium uCOS II/uCOS III Versions 1.39.0 and prior
- NXP MCUXpresso SDK, versions prior to 2.8.2
- NXP MQX, Versions 5.1 and prior
- Redhat newlib, versions prior to 4.0.0
- RIOT OS, Version 2020.01.1
- Samsung Tizen RT RTOS, versions prior 3.0.GBB
- TencentOS-tiny, Version 3.1.0
- Texas Instruments CC32XX, versions prior to 4.40.00.07
- Texas Instruments SimpleLink MSP432E4XX
- Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
- Uclibc-NG, versions prior to 1.0.36
- Windriver VxWorks, prior to 7.0.
Although many of these vendors have provided patch updates, a few still have yet to release updates at the time of the latest advisory posted on April 29, 2021.
Microsoft recommends the following mitigations to reduce the risk of attacks against IoT and OT devices:
- Patch affected devices.
- Monitor devices (such as IoT/OT-aware network detection and response (NDR) solution like Azure Defender for IoT), as part of Zero Trust strategy for IoT/OT.
- Reduce the attack surface (such as eliminate internet connections to OT systems and use VPN with Multi-factor authentication (MFA) for remote access)
- Segment your networks (such as isolating IoT devices and OT networks from corporate IT/backoffice networks via firewalls).
Readers can also check out the many related IoT threats and newsworthy events over the past several years as noted below.
- Ttint IoT botnet exploits 2 zero-days to spread RAT
- Ripple20 zero-day vulnerabilities impact hundreds of millions of IoT devices
- Organizations face major IoT risks and challenges
- State-sponsored hackers use IoT devices to breach enterprise networks
- NISTIR 8228: Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks
- New Mirai variant exploits IoT devices
- Miori IoT botnet spreads through PHP framework RCE vulnerability
- New Mirai, Gafgyt IoT botnet variants target systems with Apache Struts, SonicWall vulnerability exploits
- FBI warns of IoT risks
- Mirai variant targets IoT devices with 3 new exploits
- Mirai Okiru DDoS botnet targets ARC-based IoT
- BrickerBot IoT malware lessons learned