Microsoft researchers have found and highlighted numerous memory allocation flaws – BadAlloc – affecting IoT networks. They also shared some mitigations for IoT users to avoid potential cyber threats arising from the exploitation of these flaws.
BadAlloc Flaws Affecting IoT
Researchers from Microsoft’s Section 52 Azure Defender for IoT discovered some serious vulnerabilities affecting numerous IoT devices and networks.
Specifically, they noticed some memory allocation flaws, that they called ‘BadAlloc’ affecting IoT systems from different domains. The vulnerable networks include medical IoT, industrial IoT, operational technology (OT), and industrial control systems (ICS).
As elaborated in their blog post, the researchers detected a family of such bugs in embedded IoT and OT systems. Exploiting these bugs could allow an attacker to perform heap overflow. In turn, the attacker could execute malicious codes on the targeted systems remotely.
Explaining the flaws, the post reads,
All of these vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more. Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations.
US CISA has also issued an advisory in this regard, listing 25 vulnerabilities of 23 different types included in BadAlloc. The bugs have received a critical severity rating with a CVSS score of 9.8.
List of vulnerable devices
CISA has mentioned the following as the products affected by BadAlloc.
- Amazon FreeRTOS, Version 10.4.1
- Apache Nuttx OS, Version 9.1.0
- ARM CMSIS-RTOS2, versions prior to 2.1.3
- ARM Mbed OS, Version 6.3.0
- ARM mbed-uallaoc, Version 1.3.0
- Cesanta Software Mongoose OS, v2.17.0
- eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
- Google Cloud IoT Device SDK, Version 1.0.2
- Linux Zephyr RTOS, versions prior to 2.4.0
- Media Tek LinkIt SDK, versions prior to 4.6.1
- Micrium OS, Versions 5.10.1 and prior
- Micrium uCOS II/uCOS III Versions 1.39.0 and prior
- NXP MCUXpresso SDK, versions prior to 2.8.2
- NXP MQX, Versions 5.1 and prior
- Redhat newlib, versions prior to 4.0.0
- RIOT OS, Version 2020.01.1
- Samsung Tizen RT RTOS, versions prior 3.0.GBB
- TencentOS-tiny, Version 3.1.0
- Texas Instruments CC32XX, versions prior to 4.40.00.07
- Texas Instruments SimpleLink MSP432E4XX
- Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
- Uclibc-NG, versions prior to 1.0.36
- Windriver VxWorks, prior to 7.0
Before public disclosure, Microsoft responsibly disclosed all the vulnerabilities to the respective vendors to allow patching the bugs.
Besides, for the users to ensure the security of IoT systems, Microsoft advises them to update their devices with the patches as per their vendor’s directions.
Also, Microsoft recommends using an IoT monitoring solution, limiting internet access to OT control, using VPNs and MFA, and applying network segmentation.
Let us know your thoughts in the comments.