Microsoft security researchers have discovered over two dozen critical remote code execution (RCE) vulnerabilities in Internet of Things (IoT) devices and Operational Technology (OT) industrial systems.
These 25 security flaws are known collectively as BadAlloc and are caused by memory allocation Integer Overflow or Wraparound bugs.
Threat actors can exploit them to trigger system crashes and execute malicious code remotely on vulnerable IoT and OT systems.
The vulnerabilities were found by Microsoft's researchers in standard memory allocation functions widely used in multiple real-time operating systems (RTOS), C standard library (libc) implementations, and embedded software development kits (SDKs).
"Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations," the Microsoft Security Response Center team said.
"Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device."
Devices vulnerable to BadAlloc attacks
Vulnerable IoT and OT devices impacted by the BadAlloc vulnerabilities can be found on consumer, medical, and industrial networks.
The complete list of devices affected by BadAlloc includes (links to patches are available in CISA's advisory):
Amazon FreeRTOS, Version 10.4.1
Apache Nuttx OS, Version 9.1.0
ARM CMSIS-RTOS2, versions prior to 2.1.3
ARM Mbed OS, Version 6.3.0
ARM mbed-uallaoc, Version 1.3.0
Cesanta Software Mongoose OS, v2.17.0
..
Support the originator by clicking the read the rest link below.
