The security research group for Azure Defender for IoT, dubbed Section 52, has found a batch of bad memory allocation operations in code used in Internet of Things and operational technology (OT) such as industrial control systems that could lead to malicious code execution.
Given the trendy vulnerability name of BadAlloc, the vulnerabilities are related to not properly validating input, which leads to heap overflows, and can eventually end at code execution.
“All of these vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more,” the research team wrote in a blog post.
The use of these functions gets problematic when passed external input that can cause an integer overflow or wraparound as values to the functions.
“The concept is as follows: When sending this value, the returned outcome is a freshly allocated memory buffer,” the team said.
“While the size of the allocated memory remains small due to the wraparound, the payload associated with the memory allocation exceeds the actual allocated buffer, resulting in a heap overflow. This heap overflow enables an attacker to execute malicious code on the target device.”
Microsoft said it worked with the US Department of Homeland Security to alert the impacted vendors and patch the vulnerabilities.
The list of affected products in the advisory includes devices from Google Cloud, Arm, Amazon, Red Hat, Texas Instruments, and Samsung Tizen. CVSS v3 scores range from 3.2 in the case of Tizen to 9.8 for Red Hat newlib prior to version 4.
As with most vulnerabilities, Microsoft’s primary piece of advice is to patch the affected products, but with the possibility of industrial equipment being hard to update, Redmond suggests disconnecting devices from the internet if possible or putting them behind a VPN with 2FA authentication, have a form of network security and monitoring to detect behavioural indicators of compromise, and use network segmentation to protect critical assets.
“Network segmentation is important for zero trust because it limits the attacker’s ability to move laterally and compromise your crown jewel assets, after the initial intrusion,” the team wrote.
“In particular, IoT devices and OT networks should be isolated from corporate IT networks using firewalls.”