Microsoft warns of BadAlloc flaws in OT, IoT devices

Pierluigi Paganini April 30, 2021

Microsoft researchers are warning of major security vulnerabilities affecting OT and IoT devices and high-risks for businesses using them.

Researchers from Microsoft’s Section 52 team recently uncovered several critical memory allocation flaws, collectively tracked as BadAlloc, affecting IoT and OT devices. The vulnerabilities could be exploited by attackers to bypass security controls to execute malicious code or trigger DoS conditions.

Experts found more than 25 RCE vulnerabilities that potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.

The full list of vulnerabilities is available in an advisory (ICSA-21-119-04) published by the US DHS.

“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.” reads the advisory published by Microsoft.

According to Microsoft, the BadAlloc vulnerabilities resides in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.  

Microsoft, along with the U.S. Department of Homeland Security (DHS), disclosed the issues with all the affected vendors.

IOT/OT devices sold by Amazon, ARM, Cesanta, Google Cloud, Samsung, Texas Instruments and Tencent, along with many other open-source products are affected.

“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent  a significant potential risk for organizations of all kinds. To date, Microsoft has not seen any indications of these vulnerabilities being exploited. However, we strongly encourage organizations to patch their systems as soon as possible,” continues the report. 

Microsoft provides the following recommendations to mitigate the risk of attacks on their IoT and OT infrastructure: 

• Patch. Follow vendor instructions for applying patches to the affected products.
• If you can’t patch, monitor. Since most legacy IoT and OT devices don’t support agents, use an IoT/OT-aware network detection and response (NDR) solution like Azure Defender for IoT and SIEM/SOAR solution like Azure Sentinel to auto-discover and continuously monitor devices for anomalous or unauthorized behaviors, such as communication with unfamiliar local or remote hosts. These are essential elements of implementing a Zero Trust strategy for IoT/OT.
 Reduce the attack surface by eliminating unnecessary internet connections to OT control systems and implementing VPN access with multi-factor authentication (MFA) when remote access is required. The DHS warns that VPN devices may also have vulnerabilities and should be updated to the most current version available.
 Segment. Network segmentation is important for Zero Trust because it limits the attacker’s ability to move laterally and compromise your crown jewel assets, after the initial intrusion. In particular, IoT devices and OT networks should be isolated from corporate IT networks using firewalls.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BadAlloc)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment