Researchers from Microsoft’s Azure security team have disclosed several critical vulnerabilities in various IoT and industrial systems, which a remote hacker can exploit for code execution. The 25 vulnerabilities recorded were found in memory allocation of specific devices, which have been reported to CISA lately. Patches for most are available.
RCE Vulnerabilities in IoT and OT
David Atch, Omri Ben Bassat, and Tamir Ariel from Section 52 of Microsoft’s Azure Defender for IoT research group has detailed a new report, explaining 25 critical vulnerabilities in various IoT and Operational Technology (OT) systems. These are collectively known as BadAlloc, as they’re known to be Wraparound bugs or the memory allocation integer overflow ones.
Researchers found these bugs to be available in embedded software development kits (SDKs), several real-time operating systems (RTOS), and C standard library (libs) implementations in their memory allocation functions. And the issue here is defined as improper input validations used by all these devices.
This has been happening for years, with vendors failing to adopt proper validation protocols. Researchers warned that a hacker could perform a heap overflow attack to exploit these bugs and execute a malicious code remotely on the target’s device. Thus, they warned users to be aware and patch them immediately.
Researchers have shared their findings with the CISA, which has published an advisory containing the URLs to patches for all affected devices as below;
- Amazon FreeRTOS, Version 10.4.1
- Apache Nuttx OS, Version 9.1.0
- ARM CMSIS-RTOS2, versions before 2.1.3
- ARM Mbed OS, Version 6.3.0
- ARM mbed-uallaoc, Version 1.3.0
- Cesanta Software Mongoose OS, v2.17.0
- eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
- Google Cloud IoT Device SDK, Version 1.0.2
- Linux Zephyr RTOS, versions before 2.4.0
- Media Tek LinkIt SDK, versions before 4.6.1
- Micrium OS, Versions 5.10.1 and prior
- Micrium uCOS II/uCOS III Versions 1.39.0 and prior
- NXP MCUXpresso SDK, versions before 2.8.2
- NXP MQX, Versions 5.1 and prior
- Redhat newlib, versions prior to 4.0.0
- RIOT OS, Version 2020.01.1
- Samsung Tizen RT RTOS, versions prior to 3.0.GBB
- TencentOS-tiny, Version 3.1.0
- Texas Instruments CC32XX, versions prior to 4.40.00.07
- Texas Instruments SimpleLink MSP432E4XX
- Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
- uclibc-NG, versions prior to 1.0.36
- Windriver VxWorks, prior to 7.0
Meanwhile, for those devices where the patches are unavailable or delayed, CISA has recommended the following practices for securing themselves;
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also, remember that VPN is only as secure as its connected devices.