One of Microsoft’s bug hunting teams has discovered 25 vulnerabilities impacting a broad spectrum of smart IoT devices and industrial equipment.

Named “BadAlloc,” the vulnerabilities were discovered Microsoft’s Section 52, the Azure Defender for IoT security research group, who worked with the US Cybersecurity and Infrastructure Security Agency (CISA) to report all issues to their respective vendors.

“The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations,” the Azure Defender team said today in a blog post.

Memory allocation functions are exactly what their name implies. They are coding functions that allow programmers to control how a device’s firmware and its apps work with the device’s built-in physical memory.

“These are internal functions that are widely used by the OS and apps above it. So they can be used by the TCP/IP stack, or by any network-bound app above it,” Ben Seri, VP of Research at IoT security firm Armis, told The Record in an interview today.

The Azure Defender team says that the BadAlloc bugs occur because “memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations.”

“Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device,” the researchers said. As both Microsoft and Seri have pointed out, these attacks can be performed remotely, across a network, or over the internet if the device is reachable online.

Patches available for 15 of 25 products

Microsoft said that it found problems with input validation in memory allocation functions in the following products:

  • Amazon FreeRTOS, Version 10.4.1
  • Apache Nuttx OS, Version 9.1.0 
  • ARM CMSIS-RTOS2, versions prior to 2.1.3
  • ARM Mbed OS, Version 6.3.0
  • ARM mbed-uallaoc, Version 1.3.0
  • Cesanta Software Mongoose OS, v2.17.0
  • eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
  • Google Cloud IoT Device SDK, Version 1.0.2
  • Linux Zephyr RTOS, versions prior to 2.4.0
  • Media Tek LinkIt SDK, versions prior to 4.6.1
  • Micrium OS, Versions 5.10.1 and prior
  • Micrium uCOS II/uCOS III Versions 1.39.0 and prior
  • NXP MCUXpresso SDK, versions prior to 2.8.2
  • NXP MQX, Versions 5.1 and prior
  • Redhat newlib, versions prior to 4.0.0
  • RIOT OS, Version 2020.01.1 
  • Samsung Tizen RT RTOS, versions prior 3.0.GBB
  • TencentOS-tiny, Version 3.1.0
  • Texas Instruments CC32XX, versions prior to 4.40.00.07
  • Texas Instruments SimpleLink MSP432E4XX
  • Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
  • Uclibc-NG, versions prior to 1.0.36 
  • Windriver VxWorks, prior to 7.0

According to a CISA advisory released earlier today, at the time of writing, only 15 of the 25 impacted organizations have released security updates to patch the BadAlloc vulnerabilities.

The other ten vendors are expected to release fixes in the coming months, CISA said.

Until patches are available, both CISA and Microsoft have recommended that companies minimize the exposure of vulnerable systems to the internet, monitor IoT/OT systems for anomalies, and segment internal networks to prevent company-wide exploitation of the BadAlloc bugs.

At the time of writing, no publicly available exploits appear to be available for these bugs, but this might change in the coming weeks or months.

CISA has assigned a vulnerability score of 9.8 out of a maximum of 10 for the BadAlloc bugs and has urged organizations to address these issues as soon as possible.

Neither CISA nor Microsoft have released estimates about the number of impacted products. By the vendor names in the list above, the estimate could be easily in the billions.


administrator

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Freelance writer