Microsoft Finds 'BadAlloc' Flaws Affecting Wide-Range of IoT and OT Devices

Microsoft researchers on Thursday disclosed two dozen vulnerabilities affecting a wide range of Internet of Things (IoT) and Operational Technology (OT) devices used in industrial, medical, and enterprise networks that could be abused by adversaries to execute arbitrary code and even cause critical systems to crash.

"These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology, and industrial control systems," said Microsoft's 'Section 52' Azure Defender for IoT research group.

The flaws have been collectively named "BadAlloc," for they are rooted in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. A lack of proper input validations associated with these memory allocation functions could enable an adversary to perform a heap overflow, leading to the execution of malicious code on a vulnerable device.

"Successful exploitation of these vulnerabilities could result in unexpected behavior such as a crash or a remote code injection/execution," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory. Neither Microsoft nor CISA have released details about the total number of devices affected by the software bugs.

The complete list of devices affected by BadAlloc are as follows -

• Amazon FreeRTOS, Version 10.4.1
• Apache Nuttx OS, Version 9.1.0
• ARM CMSIS-RTOS2, versions prior to 2.1.3
• ARM Mbed OS, Version 6.3.0
• ARM mbed-uallaoc, Version 1.3.0
• Cesanta Software Mongoose OS, v2.17.0
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
• Google Cloud IoT Device SDK, Version 1.0.2
• Linux Zephyr RTOS, versions prior to 2.4.0
• MediaTek LinkIt SDK, versions prior to 4.6.1
• Micrium OS, Versions 5.10.1 and prior
• Micrium uCOS II/uCOS III Versions 1.39.0 and prior
• NXP MCUXpresso SDK, versions prior to 2.8.2
• NXP MQX, Versions 5.1 and prior
• Redhat newlib, versions prior to 4.0.0
• RIOT OS, Version 2020.01.1
• Samsung Tizen RT RTOS, versions prior 3.0.GBB
• TencentOS-tiny, Version 3.1.0
• Texas Instruments CC32XX, versions prior to 4.40.00.07
• Texas Instruments SimpleLink MSP432E4XX
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
• Uclibc-NG, versions prior to 1.0.36
• Windriver VxWorks, prior to 7.0

Microsoft said it has found no evidence of these vulnerabilities being exploited to date, although the availability of the patches could allow a bad actor to use a technique called "patch diffing" to reverse engineer the fixes and leverage it to potentially weaponize vulnerable versions of the software.

To minimize the risk of exploitation of these vulnerabilities, CISA recommends organizations apply vendor updates as soon as possible, erect firewall barriers, and isolate system networks from business networks, and curtail exposure of control system devices to ensure they remain inaccessible from the internet.