Microsoft Finds ‘BadAlloc’ Flaws Affecting Wide-Range of IoT and OT Devices

Technology

Microsoft researchers on Thursday disclosed two dozen vulnerabilities affecting a wide range of Internet of Things (IoT) and Operational Technology (OT) devices used in industrial, medical, and enterprise networks that could be abused by adversaries to execute arbitrary code and even cause critical systems to crash.

“These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology, and industrial control systems,” said Microsoft’s ‘Section 52’ Azure Defender for IoT research group.

The flaws have been collectively named “BadAlloc,” for they are rooted in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. A lack of proper input validations associated with these memory allocation functions could enable an adversary to perform a heap overflow, leading to the execution of malicious code on a vulnerable device.

password auditor

“Successful exploitation of these vulnerabilities could result in unexpected behavior such as a crash or a remote code injection/execution,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory. Neither Microsoft nor CISA have released details about the total number of devices affected by the software bugs.

The complete list of devices affected by BadAlloc are as follows –

  • Amazon FreeRTOS, Version 10.4.1
  • Apache Nuttx OS, Version 9.1.0
  • ARM CMSIS-RTOS2, versions prior to 2.1.3
  • ARM Mbed OS, Version 6.3.0
  • ARM mbed-uallaoc, Version 1.3.0
  • Cesanta Software Mongoose OS, v2.17.0
  • eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
  • Google Cloud IoT Device SDK, Version 1.0.2
  • Linux Zephyr RTOS, versions prior to 2.4.0
  • MediaTek LinkIt SDK, versions prior to 4.6.1
  • Micrium OS, Versions 5.10.1 and prior
  • Micrium uCOS II/uCOS III Versions 1.39.0 and prior
  • NXP MCUXpresso SDK, versions prior to 2.8.2
  • NXP MQX, Versions 5.1 and prior
  • Redhat newlib, versions prior to 4.0.0
  • RIOT OS, Version 2020.01.1
  • Samsung Tizen RT RTOS, versions prior 3.0.GBB
  • TencentOS-tiny, Version 3.1.0
  • Texas Instruments CC32XX, versions prior to 4.40.00.07
  • Texas Instruments SimpleLink MSP432E4XX
  • Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
  • Uclibc-NG, versions prior to 1.0.36
  • Windriver VxWorks, prior to 7.0

Microsoft said it has found no evidence of these vulnerabilities being exploited to date, although the availability of the patches could allow a bad actor to use a technique called “patch diffing” to reverse engineer the fixes and leverage it to potentially weaponize vulnerable versions of the software.

To minimize the risk of exploitation of these vulnerabilities, CISA recommends organizations apply vendor updates as soon as possible, erect firewall barriers, and isolate system networks from business networks, and curtail exposure of control system devices to ensure they remain inaccessible from the internet.

Products You May Like

Articles You May Like

Trump says European Union must buy U.S. oil and gas in trade ultimatum
NCIS: Origins Season 1 Episode 10 Reveals Who Has Had The Greatest Impact On Gibbs, And It’s Not Mike Franks
Elon Musk Melts Down As House Republicans Show Him That He Has No Power
Mike O’Malley Reflects on Hosting 90s Kids’ Classic ‘Nickelodeon GUTS’ & All That Aggro Crag Drama
Zach Bryan Surprises Fans With Live Album From ‘Quittin’ Time’ Tour, ’24 (Live)’