Microsoft Finds Critical Code Execution Bugs In IoT, OT Devices

Recently, world-leading giant Microsoft security unit has reported that around 24 critical remote code execution (RCE) vulnerabilities have been found in Operational Technology (OT) industrial systems and Internet of Things (IoT) appliances. The research unit said that this security flaw in the system is collectively known as BadAlloc and because of the memory allocation Integer Overflow or Wraparound bugs, the attack occurred. 

The unit reported that the cybercriminal could utilize this access into the system to crash and execute malicious code remotely into the system. The vulnerabilities have been discovered by Microsoft’s researchers into standard memory allocation systems that come into use in multiple real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. 

“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations…”, the research team noted. 

“…Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device, the Microsoft security research team has reported”, they further added.

There is a long list of appliance that get affected by the BadAlloc vulnerabilities: 

• Amazon FreeRTOS, Version 10.4.1 

• ARM Mbed OS, Version 6.3.0 

• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 

• ARM mbed-uallaoc, Version 1.3.0 

• Cesanta Software Mongoose OS, v2.17.0 

• ARM CMSIS-RTOS2, versions prior to 2.1.3 

• Apache Nuttx OS, Version 9.1.0 

• Media Tek LinkIt SDK, versions prior to 4.6.1 

• Google Cloud IoT Device SDK, Version 1.0.2 

• Micrium OS, Versions 5.10.1 and prior 

• Micrium uCOS II/uCOS III Versions 1.39.0 and prior 

• Linux Zephyr RTOS, versions prior to 2.4.0 

• NXP MCUXpresso SDK, versions prior to 2.8.2 

• NXP MQX, Versions 5.1 and prior 

• RIOT OS, Version 2020.01.1 

• Samsung Tizen RT RTOS, versions prior 3.0.GBB 

• Redhat newlib, versions prior to 4.0.0 

• Texas Instruments SimpleLink MSP432E4XX 

• Texas Instruments CC32XX, versions prior to 4.40.00.07 

• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00 

• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 

• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00 

• Windriver VxWorks, prior to 7.0 

• Uclibc-NG, versions prior to 1.0.36 

• TencentOS-tiny, Version 3.1.0 

Reportedly, as soon as the security flaw was found out into the system the research unit reported it to the CISA and the vendors.