Recently, a world-leading giant Microsoft security unit has reported that around 24 critical remote code execution (RCE) vulnerabilities have been found in Operational Technology (OT) industrial systems and Internet of Things (IoT) appliances. The research unit said that this security flaw in the system is collectively known as BadAlloc and because of the memory allocation Integer Overflow or Wraparound bugs, the attack occurred.
The unit reported that the cybercriminal could utilize this access into the system to crash and execute malicious code remotely into the system. The vulnerabilities have been discovered by Microsoft's researchers into standard memory allocation systems that come into use in multiple real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.
"Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations…”, the research them noted.
"…Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device, the Microsoft security research team has reported”, they further added.
There is a long list of appliance that get affected by the BadAlloc vulnerabilities:
• Amazon FreeRTOS, Version 10.4.1
• ARM Mbed OS, Version 6.3.0
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
• ARM mbed-uallaoc, Version 1.3.0
• Cesanta Software Mongoose OS, v2.17.0
• ARM CMSIS-RTOS2, versions prior to 2.1.3
• Apache Nuttx OS, Version 9.1.0
• Media Tek LinkIt SDK, versions prior to 4.6.1
• Google Cloud IoT Device SDK, Version 1.0.2
• Micrium OS, Versions 5.10.1 and prior
• Micrium uCOS II/uCOS III Versions 1.39.0 and prior
• Linu ..
Support the originator by clicking the read the rest link below.
