Follow vendor instructions for applying patches to the affected products. We recommend the following mitigations for organizations with IoT and OT devices: The following are “BadAlloc” examples: Mitigating “BadAlloc” vulnerabilities
This heap overflow enables an attacker to execute malicious code on the target device. While the size of the allocated memory remains small due to the wraparound, the payload associated with the memory allocation exceeds the actual allocated buffer, resulting in a heap overflow. The concept is as follows: When sending this value, the returned outcome is a freshly allocated memory buffer. The memory allocation vulnerabilities can be invoked by calling the memory allocation function, such as malloc(VALUE), with the VALUE parameter derived dynamically from external input and being large enough to trigger an integer overflow or wraparound. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.
Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. All of these vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more. “BadAlloc” is the name assigned by Microsoft’s Section 52 to the family of vulnerabilities discovered in embedded IoT and OT operating systems and software to describe this class of memory overflow vulnerabilities. The Azure RTOS ThreadX documentation has been updated to state that it is “only safe to disable error checking if the application can absolutely guarantee all input parameters are always valid under all circumstances, including input parameters derived from external input.” “BadAlloc”: Running malicious code through vulnerable memory functions Note that Microsoft Azure RTOS ThreadX is not vulnerable in its default configuration. For devices that cannot be patched immediately, we recommend mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet implementing network security monitoring to detect behavioral indicators of compromise and strengthening network segmentation to protect critical assets, as described in the mitigations section at the end of this blog post.
However, we strongly encourage organizations to patch their systems as soon as possible.Īt the same time, we recognize that patching IoT/OT devices can be complex. To date, Microsoft has not seen any indications of these vulnerabilities being exploited. Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds.
These findings have been shared with vendors through responsible disclosure led by the Microsoft Security Response Center (MSRC) and the Department of Homeland Security (DHS), enabling these vendors to investigate and patch the vulnerabilities.įor a full list of affected products and CVEs, please visit the DHS website: ICSA-21-119-04 Multiple RTOS. The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.
Microsoft’s Section 52, the Azure Defender for IoT security research group, recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices that adversaries could exploit to bypass security controls in order to execute malicious code or cause a system crash.