Infosec pros are being urged to patch or mitigate a wide range of consumer, medical, industrial, operational technology and industrial control systems after the discovery of a series of critical memory allocation vulnerabilities.
The remote code execution (RCE) bugs cover more than 25 critical vulnerabilities in versions of products including a number of real-time operating systems such as Amazon FreeRTOS, Linux Zephyr RTOS and Wind River’s VxWorks; embedded software development kits (SDKs) such as Google Cloud IoT Device SDK; and C standard library (libc) implementations such as Redhat newlib.
Adversaries could exploit to bypass security controls in order to execute malicious code or cause a system crash, according to researchers at Microsoft who discovered the vulnerabilities.
Its findings have been shared with vendors through disclosure led by the Microsoft Security Response Center (MSRC) and the U.S. Department of Homeland Security (DHS), allowing vendors time to investigate and patch the vulnerabilities.
According to the U.S. Cybersecurity and Infrastructure Security Agency, 17 of the 25 products already have patches available. Security updates for several are in the works. However, others that are no longer supported, such as the ARM mbed-uallaoc, will not be patched.
Texas Instruments says no patch is planned for the TI SimpleLink MSP432E4.
“For devices that cannot be patched immediately, we recommend mitigating controls such as reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioural indicators of compromise, and strengthening network segmentation to protect critical assets,” Microsoft researchers said.
A full list of affected products and CVEs can be found here.
Researchers are calling the family of vulnerabilities “BadAlloc.” All of them stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more.
“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in the execution of malicious code on a target device,” they wrote.
So far, Microsoft says it has not seen any sign these vulnerabilities have been exploited.
However, as news spreads there is the possibility that threat actors will try to leverage them in unpatched systems. Administrators who regularly patch their devices may already have their systems protected.
Microsoft also notes that network segmentation is important because it limits the attacker’s ability to move laterally and compromise an organization’s crown jewel assets. In particular, it adds, IoT devices and OT networks should be isolated from corporate IT networks using firewalls.