Microsoft researchers have discovered multiple memory allocation and remote code execution vulnerabilities in the operating systems for a wide range of commercial, medical and operational technology Internet of Things devices. The vulnerabilities are caused by memory allocation Integer Overflow or Wraparound bugs.

The collection of these 25 security flaws are known as BadAlloc and affect at least 25 different products made by more than a dozen organizations, including Amazon, ARM, Google Cloud, Samsung, RedHat, Apache and others.  Threat actors can exploit them to trigger system crashes and execute malicious code remotely on vulnerable IoT and OT systems.

As of now, exploits leveraging the vulnerabilities haven’t been spotted in the wild, but they offer potential attackers a broad surface area to do damage.

According to an overview compiled by the Cybersecurity and Infrastructure Security Agency, 17 of the affected product already have patches available, while the rest either have updates planned or are no longer supported by the vendor and won’t be patched.

The vulnerabilities were found by Microsoft’s researchers in standard memory allocation functions widely used in multiple real-time operating systems (RTOS), C standard library (libc) implementations, and embedded software development kits (SDKs).

According to IoT security team “the research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations.”

“Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.”

Affected Devices

Vulnerable IoT and OT devices impacted by the BadAlloc vulnerabilities can be found on consumer, medical, and industrial networks.

“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds,” Microsoft wrote

The complete list of devices affected by BadAlloc includes:

• Amazon FreeRTOS, Version 10.4.1
• Apache Nuttx OS, Version 9.1.0
• ARM CMSIS-RTOS2, versions prior to 2.1.3
• ARM Mbed OS, Version 6.3.0
• ARM mbed-uallaoc, Version 1.3.0
• Cesanta Software Mongoose OS, v2.17.0
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
• Google Cloud IoT Device SDK, Version 1.0.2
• Linux Zephyr RTOS, versions prior to 2.4.0
• Media Tek LinkIt SDK, versions prior to 4.6.1
• Micrium OS, Versions 5.10.1 and prior
• Micrium uCOS II/uCOS III Versions 1.39.0 and prior
• NXP MCUXpresso SDK, versions prior to 2.8.2
• NXP MQX, Versions 5.1 and prior
• Redhat newlib, versions prior to 4.0.0
• RIOT OS, Version 2020.01.1
• Samsung Tizen RT RTOS, versions prior 3.0.GBB
• TencentOS-tiny, Version 3.1.0
• Texas Instruments CC32XX, versions prior to 4.40.00.07
• Texas Instruments SimpleLink MSP432E4XX
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
• Uclibc-NG, versions prior to 1.0.36
• Windriver VxWorks, prior to 7.0

Recommendations:

The vulnerabilities were found and reported to CISA and impacted vendors by security researchers David Atch, Omri Ben Bassat, and Tamir Ariel from Microsoft’s ‘Section 52’ Azure Defender for IoT research group.

To decrease exploitation risk, CISA recommends organizations using devices vulnerable to BadAlloc attacks to:

• Apply available vendor updates.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also, remember that VPN is only as secure as its connected devices.

In case vulnerable devices cannot be patched immediately, Microsoft highly advises:

• Reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet.
• Implementing network security monitoring to detect behavioral indicators of compromise.
• Strengthening network segmentation to protect critical assets.

CISA also reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.