A broad spectrum of security vulnerabilities impacting a multitude of IoT devices have been detected by security researchers at Microsoft’s Azure Defender for IoT research group.

Azure Defender finds critical IoT security holes:

These could have severe consequences in the application fields of these devices such as the medical IoT, Industrial IoT, Operational Technology, and industrial control systems.

According to Microsoft Azure Defender, there exist critical remote code execution i.e. RCE vulnerabilities covering more than 25 CVEs.

These security holes or vulnerabilities are that could be abused by adversaries to execute arbitrary code and even cause critical systems to crash.

Microsoft Azure Defender has also provided that these vulnerabilities have the potential to cause dangerous implications for a wide range of domains, industrial, medical, and enterprise networks.

Also read,

These flaws have been mutually titled “BadAlloc,” as a result of them being rooted in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.

Regarding the exploitation of these vulnerabilities, it has been noted that a threat actor would be able to facilitate heap overflow if there is an inadequacy of proper input validations associated with these memory allocation functions.

CISA ‘BadAlloc’ Advisory:

CISA i.e. U.S. Cybersecurity and Infrastructure Security Agency has also released a security advisory regarding the Badalloc vulnerabilities and has detailed the products impacted by them.

“Successful exploitation of these vulnerabilities could result in unexpected behavior such as a crash or a remote code injection/execution,” CISA said in its advisory.

The complete list of devices affected by BadAlloc are as follows –

  • Amazon FreeRTOS, Version 10.4.1
  • Apache Nuttx OS, Version 9.1.0
  • ARM CMSIS-RTOS2, versions prior to 2.1.3
  • ARM Mbed OS, Version 6.3.0
  • ARM mbed-uallaoc, Version 1.3.0
  • Cesanta Software Mongoose OS, v2.17.0
  • eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
  • Google Cloud IoT Device SDK, Version 1.0.2
  • Linux Zephyr RTOS, versions prior to 2.4.0
  • MediaTek LinkIt SDK, versions prior to 4.6.1
  • Micrium OS, Versions 5.10.1 and prior
  • Micrium uCOS II/uCOS III Versions 1.39.0 and prior
  • NXP MCUXpresso SDK, versions prior to 2.8.2
  • NXP MQX, Versions 5.1 and prior
  • Redhat newlib, versions prior to 4.0.0
  • RIOT OS, Version 2020.01.1
  • Samsung Tizen RT RTOS, versions prior 3.0.GBB
  • TencentOS-tiny, Version 3.1.0
  • Texas Instruments CC32XX, versions prior to 4.40.00.07
  • Texas Instruments SimpleLink MSP432E4XX
  • Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
  • Uclibc-NG, versions prior to 1.0.36
  • Windriver VxWorks, prior to 7.0

Unpatched Devices vulnerable:

According to Azure Defender, there is currently no evidence directing that these security holes are being exploited in the wild.

However, it has been alerted by the security organizations that a bad actor could exploit them via using the patch diffing technique.

Patch diffing is a common technique of comparing two binary builds of the same code a known-vulnerable one and one containing a security fix.

As a result, these fixes can be inverted to exploit the vulnerable versions of the software.

CISA has also recommended that users and vendors should update the software and their respective devices for the latest security fixes as soon as possible, deploy firewalls, and isolate system networks from business networks, and curtail exposure of control system devices.