Security researchers at Microsoft are raising the alarm for multiple gaping security holes in a wide range of enterprise internet-connected devices, warning that the high-risk bugs expose businesses to remote code execution attacks.
According to an advisory from Redmond’s Azure Defender for IoT security research group, there are at least 25 documented vulnerabilities (CVEs) affecting a wide range of IoT and operational technology (OT) devices the industrial, medical, and enterprise networks.
Microsoft is calling the family of vulnerabilities "BadAlloc".
“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device,” Microsoft explained.
[Adversaries] could exploit to bypass security controls in order to execute malicious code or cause a system crash, Microsoft warned.
A separate advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provides a list of affected devices and information on applying available security patches.
According to Microsoft, the vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.
Learn More About OT Security at SecurityWeek’s ICS Cyber Security Conference
Microsoft said it worked closely with all the affected vendors in collaboration with the U.S. Department of Homeland Security (DHS) to coordinate the investigation and release of updates.
The list of affected products include IOT/OT devices sold by Amazon ..
Support the originator by clicking the read the rest link below.
