Microsoft finds code execution (BadAlloc) vulnerabilities in IoT and OT devices

Microsoft security researchers have discovered more than 20 critical remote code execution (RCE) vulnerabilities in Internet of Things (IoT) devices and operational technology (OT) industrial systems. These 25 security vulnerabilities are collectively referred to as BadAlloc and are caused by memory allocation integer overflow or wraparound errors. Attackers can use them to trigger system crashes and remotely execute malicious code on IoT and OT systems.

Microsoft researchers have discovered these vulnerabilities in the standard memory allocation functions widely used in multiple real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.

The security response center team stated that the memory allocation implementations written as part of IoT devices and embedded software for many years have not been properly verified in the input data. Therefore, attackers can use the memory allocation function to trigger a heap overflow, thereby executing malicious code on the target device.

After discovering these vulnerabilities, Microsoft security researchers reported them to CISA and affected vendors. It is reported that these IoT and OT devices that are vulnerable to BadAlloc attacks currently mainly exist in consumer, medical and industrial networks, including Amazon FreeRTOS, Apache Nuttx OS, Google Cloud IoT Device SDK, etc. The complete list can be found in the CISA announcement. At the same time, CISA and Microsoft recommend that organizations using devices vulnerable to BadAlloc take the following measures to reduce risks:

• Patch. Follow vendor instructions for applying patches to the affected products.
• If you can’t patch, monitor. Since most legacy IoT and OT devices don’t support agents, use an IoT/OT-aware network detection and response (NDR) solution like Azure Defender for IoT and SIEM/SOAR solution like Azure Sentinel to auto-discover and continuously monitor devices for anomalous or unauthorized behaviors, such as communication with unfamiliar local or remote hosts. These are essential elements of implementing a Zero Trust strategy for IoT/OT.
• Reduce the attack surface by eliminating unnecessary internet connections to OT control systems and implementing VPN access with multi-factor authentication (MFA) when remote access is required. The DHS warns that VPN devices may also have vulnerabilities and should be updated to the most current version available.
• Segment. Network segmentation is important for Zero Trust because it limits the attacker’s ability to move laterally and compromise your crown jewel assets, after the initial intrusion. In particular, IoT devices and OT networks should be isolated from corporate IT networks using firewalls.

In addition, CISA also provides recommended practices for control system security and a technical information document on targeted network intrusion detection and mitigation strategies. Although Microsoft has not detected the active use of BadAlloc so far, CISA requires organizations to report any malicious activities directed against them in order to facilitate tracking.