Maksim Kabakou - Fotolia

'BadAlloc' vulnerabilities spell trouble for IoT, OT devices

A week after Microsoft revealed 25 memory allocation vulnerabilities in several IoT and OT products, some devices have been patched, while others have not.

Microsoft disclosed several potentially dangerous vulnerabilities in IoT and operational technology products last week, but it's still unclear what mitigations and patches are available.

In a blog post, Microsoft's Security Response Center detailed its discovery of 25 memory allocation vulnerabilities, which its security research group refers to as "BadAlloc." Exploitation of the vulnerabilities, many of which are critical, could lead to remote code execution (RCE), allowing adversaries to bypass security controls in order to execute malicious code or cause a system to crash. The BadAlloc vulnerabilities cover a wide range of technology, including consumer and medical IoT, industrial IoT, operational technology (OT) and industrial control systems (ICSes).

Microsoft said given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant risk for organizations of all kinds.

"The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs) and C standard library (libc) implementations," the report said.

While Microsoft had not observed any in-the-wild exploitation, it recommended that organizations patch systems as soon as possible. However, applying updates to IoT and OT devices can be more difficult than traditional IT systems.

"At the same time, we recognize that patching IoT/OT devices can be complex," the report said.

The Cybersecurity and Infrastructure Security Agency (CISA) simultaneously released an ICS advisory that warned the flaws affect multiple vendors and multiple critical infrastructure sectors; it also said the impact extends worldwide. The vulnerabilities include integer overflow or wraparound. Like Microsoft, CISA also recommended applying available vendor updates and that users take defensive measures to minimize risk.

According to the Microsoft blog, the memory allocation implementations written for IoT devices and embedded software have not incorporated proper input validations.

"Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device," the report said.

We reached out to Microsoft to see how they discovered these vulnerabilities, but the vendor declined to comment.

The CISA advisory provided further details on the products and CVEs. Most of the listed CVEs scored a Common Vulnerability Scoring System (CVSS) rating above 7. Some more critical ones, including a flaw found in Red Hat newlib versions prior to 4.0.0, assigned as CVE-2021-3420, scored a CVE rating of 9.8 out of 10. While a majority of the BadAlloc flaws have updates available, the CVEs are still in the reserved phase, which, according to MITRE, means the details are not yet public.

We reached out to vendors regarding their responses to the Microsoft disclosure. A spokesperson for Silicon Labs said the software company has already made the updates available to Micrium OS users through Simplicity Studio and uCOS-II/uCOS-III via GitHub. At the time Microsoft published the report, an update had not yet been released for Micrium uCOS-II/uCOS-III.

Additionally, a spokesperson for Arm said it investigated findings from Microsoft regarding two of their products: Mbed OS, an open source operating system for the IoT and CMSIS-RTOS2. At the time the CISA advisory was published, an update was not expected for CMSIS-RT0S2 until June. However, the spokesperson said a patch was released Wednesday for users of the CMSIS-RTOS v2-based Keil RTX5.

"We have provided a patch to our Mbed partners that allowed them to provide this to any customers who were impacted, and we released the patch in both Mbed OS 5.15.7 and 6.9," an Arm spokesperson said.

A third Arm product was listed -- mbed-uallaoc -- but according to the CISA advisory, it is no longer supported and no fix will be issued.

We contacted Texas Instruments, which has five products and four CVEs on the advisory, but the company did not respond. According to the advisory, one of those products, SimpleLink MSP432E4 has no update currently planned. We also reached out to Cesanta and NXP -- two other vendors on the list -- but neither company responded.

Attacks against ICS devices and OT have increased in recent years, and the ability to patch as soon as possible can be critical but difficult to achieve in this sector. In Dragos Inc.'s "Year in Review 2020" report, the industrial cybersecurity vendor said threats have increased threefold as more groups cash in on the cybercrime. Factors such as the CVSS being geared more toward traditional IT than OT and IoT contribute to patching challenges.

Next Steps

Schneider Electric PLCs vulnerable to remote takeover attacks

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing