Infosec pros urged to patch IoT and OT devices

Infosec pros are being urged to patch or mitigate a wide range of consumer, medical, industrial, operational technology and industrial control systems after the discovery of a series of critical memory allocation vulnerabilities.

The remote code execution (RCE) bugs cover more than 25 critical vulnerabilities in versions of products including a number of real-time operating systems such as Amazon FreeRTOS, Linux Zephyr RTOS and Wind River’s VxWorks; embedded software development kits (SDKs) such as Google Cloud IoT Device SDK; and C standard library (libc) implementations such as Redhat newlib.

Adversaries could exploit to bypass security controls in order to execute malicious code or cause a system crash, according to researchers at Microsoft who discovered the vulnerabilities. 

Its findings have been shared with vendors through disclosure led by the Microsoft Security Response Center (MSRC) and the U.S. Department of Homeland Security (DHS), allowing vendors time to investigate and patch the vulnerabilities.

According to the U.S. Cybersecurity and Infrastructure Security Agency, 17 of the 25 products already have patches available. Security updates for several are in the works. However, others that are no longer supported, such as the ARM mbed-uallaoc, will not be patched.

Texas Instruments says no patch is planned for the TI SimpleLink MSP432E4.

“For devices that cannot be patched immediately, we recommend mitigating controls such as reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioural indicators of compromise, and strengthening network segmentation to protect critical assets,” Microsoft researchers said.

A full list of affected products and CVEs can be found here.

Researchers are calling the family of vulnerabilities “BadAlloc.” All of them stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more.

“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in the execution of malicious code on a target device,” they wrote.

So far, Microsoft says it has not seen any sign these vulnerabilities have been exploited.

However, as news spreads there is the possibility that threat actors will try to leverage them in unpatched systems. Administrators who regularly patch their devices may already have their systems protected.

Microsoft also notes that network segmentation is important because it limits the attacker’s ability to move laterally and compromise an organization’s crown jewel assets. In particular, it adds, IoT devices and OT networks should be isolated from corporate IT networks using firewalls.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now