Security researchers at Microsoft recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices that adversaries could exploit to bypass security controls to execute malicious code or cause a system crash.
According to an advisory from Redmond’s Azure Defender for IoT security research group, there are at least 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.
Microsoft is calling the family of vulnerabilities “BadAlloc”. According to Microsoft, the vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.
“BadAlloc”: Running Malicious code Through Vulnerable Memory Functions
“BadAlloc”, the family of vulnerabilities discovered in embedded IoT and OT operating systems and software to describe the class of memory overflow vulnerabilities.
These vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more.
“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in the execution of malicious code on a target device”, Microsoft explained.
[Adversaries] could exploit to bypass security controls to execute malicious code or cause a system crash, Microsoft warned.
Microsoft said it worked closely with all the affected vendors in collaboration with the U.S. Department of Homeland Security (DHS) to coordinate the investigation and release of updates.
The list of affected products includes IOT/OT devices sold by Amazon, ARM, Cesanta, Google Cloud, Samsung, Texas Instruments and Tencent. US-CERT mentions that various open-source products are also affected.
“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds. To date, Microsoft has not seen any indications of these vulnerabilities being exploited. However, we strongly encourage organizations to patch their systems as soon as possible,” the company said.
Mitigating “BadAlloc” Vulnerabilities
Microsoft recommends that organizations apply mitigating controls to reduce the attack surface, including implementing network security monitoring to detect behavioral indicators of compromise and strengthening network segmentation to protect critical assets.
It is advised to eliminate unnecessary internet connections to OT control systems and implementing VPN access with multi-factor authentication (MFA) when remote access is required.
The DHS warns that VPN devices may also have vulnerabilities and should be updated to the most current version available. The IoT devices and OT networks should be isolated from corporate IT networks using firewalls.