Microsoft researchers have uncovered more than 25 memory allocation vulnerabilities that affect a long list of real time operating systems (RTOS) and libraries that are used in IoT and medical devices, operational technology devices, and industrial control systems.
The vulnerabilities are all the result of the use of vulnerable memory functions in the libraries and RTOS, and attackers could use them for remote code execution. Microsoft’s Section 52 research team disclosed the flaws publicly Thursday but reported them privately to all of the affected vendors, as well as the Cybersecurity Infrastructure and Security Agency. Although the vulnerabilities exist in a huge range of devices, Microsoft’s researchers said they had not seen any evidence of exploitation yet. MIcrosoft named the group of vulnerabilities BadAlloc.
Among the vendors whose products are affected are Amazon, Google, ARM, Samsung, and Texas Instruments, but the number of affected devices would be nearly impossible to estimate. Many of those devices likely will never be patched, and others won’t be patched for months because of where they’re located in OT or ICS networks.
“IoT devices because of their placement can be difficult to patch. OT devices elevate that problem to a much higher level because organizations usually can’t patch unless there’s an approved downtime window, and that could three or six months down the road,” said Grant Geyer, chief product officer at Claroty, an OT security firm.
These types of vulnerabilities are by no means new and the risks of using these memory functions without input validation are very well known and well documented. A group of security researchers gave a talk about similar issues at Black Hat in 2002. Memory allocation bugs still emerge in applications all the time, despite many years of improvements in mitigations and input validation. The IoT and embedded systems world is a completely different story, though, and not a positive one.
“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device,” Microsoft said.
“The common wisdom is that OT gear is this brown field, obsolete devices. But these issues show that the green field, newer gear is just as much of an issue."
“The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds.”
Most of the vendors with affected products have released updates or patches for the vulnerabilities, however Texas Instruments has not published updates for its SimpleLink platform.
Claroty’s Geyer said the breadth of the issues Microsoft found was surprising, as are the vulnerabilities themselves.
“What’s surprising to me is how many RTOS didn’t implement safety checks when using memory safety tools like malloc. The variety of devices that are affected is huge. There could be tens or hundreds of millions,” he said.
“The common wisdom is that OT gear is this brown field, obsolete devices. But these issues show that the green field, newer gear is just as much of an issue and needs to be cared for, as well.”
CISA has released mitigations for organizations that are not able to patch affected devices, including removing Internet exposure for control system devices.