Microsoft experts have discovered 25 vulnerabilities named BadAlloc that threaten a wide range of IoT devices and industrial equipment, used in medical and corporate networks.
These vulnerabilities received a generic name BadAlloc.Remote Code Execution (RCE) vulnerabilities are associated with CVE 25 and are potentially dangerous across a wide range of domains, from the consumer and medical IoT to the industrial IoT, operating technology and industrial control systems, according to Microsoft engineers.
The researchers explain that BadAlloc errors occur because various “memory allocation implementations that have been built for many years as part of IoT devices and firmware have not had proper input validation.”
As a result, an attacker can use memory allocation bugs to provoke a heap overflow, which will lead to the execution of malicious code on the target device. As noted in Microsoft, such attacks can be carried out both locally and remotely, if the device is available on the Internet.
According to experts, vulnerabilities were found in the following products:
- Amazon FreeRTOS, v. 10.4.1;
- ОС Apache Nuttx, v. 9.1.0 ;
- ARM CMSIS-RTOS2, v. before 2.1.3;
- ОС ARM Mbed, v. 6.3.0;
- ARM mbed-uallaoc, v. 1.3.0;
- Cesanta Software Mongoose OS, v. 2.17.0;
- eCosCentric eCosPro RTOS, v. 2.0.1–4.5.3;
- SDK for devices Google Cloud IoT, v. 1.0.2;
- ОСРВ Linux Zephyr, v. before 2.4.0;
- Media Tek LinkIt SDK, v. before 4.6.1;
- Micrium OS, v. 5.10.1 and earlier;
- Micrium uCOS II/uCOS III v. 1.39.0 and earlier;
- NXP MCUXpresso SDK, v. before 2.8.2;
- NXP MQX, v. 5.1 and earlier;
- Redhat newlib, v. before 4.0.0;
- ОС RIOT, v. 2020.01.1 ;
- ОСРВ Samsung Tizen RT, v. before 3.0.GBB;
- TencentOS-tiny, v. 3.1.0;
- Texas Instruments CC32XX, v. before 4.40.00.07;
- Texas Instruments SimpleLink MSP432E4XX;
- Texas Instruments SimpleLink-CC13XX, v. before 4.40.00;
- Texas Instruments SimpleLink-CC26XX, v. before 4.40.00;
- Texas Instruments SimpleLink-CC32XX, v. before 4.10.03;
- Uclibc-NG, v. before 1.0.36;
- Windriver VxWorks before 7.0.
So far, only 15 of the 25 affected vendors have submitted updates to fix BadAlloc issues, according to a post by the Department of Homeland Security’s Cybersecurity and Infrastructure Protection Agency (DHS CISA). The other ten vendors are expected to release patches “in the coming months.”
There are no exploits available for these errors yet, however this could easily change in the coming weeks or months. The CISA rated BadAlloc problems 9.8 out of 10 and encouraged all affected organizations to fix the vulnerabilities as soon as possible.
Neither CISA nor Microsoft have not released even a rough estimate of the number of affected products. However, judging by which manufacturers are included in the above list, billions of devices may be affected.
Let me remind you that I also reported that Hackers stole Mimecast certificate to attack Microsoft 365 users.
CONSIDER READING: Default passwords for IoT devices and why you should change your router password ASAP.