Researchers David Atch, Omri Ben Bassat, and Tamir Ariel at Microsoft have discovered multiple vulnerabilities in various IoT and OT systems which are being collectively called BadAlloc. Potentially allowing threat actors to initiate system shutdowns and allow for remote code executions, researchers have found them in multiple real-time operating systems (RTOS), C standard library (libc) implementations, and embedded software development kits (SDKs). After initially discovering the vulnerabilities, researchers found that industries such as consumer, industrial, and medical use the devices that are at risk. Some patches have been made already and can be found via CISA’s advisory. The full list of devices that are affected include:
- Amazon FreeRTOS, Version 10.4.1
- Apache Nuttx OS, Version 9.1.0
- ARM CMSIS-RTOS2, versions prior to 2.1.3
- ARM Mbed OS, Version 6.3.0
- ARM mbed-uallaoc, Version 1.3.0
- Cesanta Software Mongoose OS, v2.17.0
- eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
- Google Cloud IoT Device SDK, Version 1.0.2
- Linux Zephyr RTOS, versions prior to 2.4.0
- Media Tek LinkIt SDK, versions prior to 4.6.1
- Micrium OS, Versions 5.10.1 and prior
- Micrium uCOS II/uCOS III Versions 1.39.0 and prior
- NXP MCUXpresso SDK, versions prior to 2.8.2
- NXP MQX, Versions 5.1 and prior
- Redhat newlib, versions prior to 4.0.0
- RIOT OS, Version 2020.01.1
- Samsung Tizen RT RTOS, versions prior 3.0.GBB
- TencentOS-tiny, Version 3.1.0
- Texas Instruments CC32XX, versions prior to 4.40.00.07
- Texas Instruments SimpleLink MSP432E4XX
- Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
- Uclibc-NG, versions prior to 1.0.36
- Windriver VxWorks, prior to 7.0
Analyst Notes
CISA has released a solid list of recommendations for the vulnerabilities that can be immediately patched. For those that can be patched, it is advised that people using the devices:
• Apply available vendor updates.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also, remember that VPN is only as secure as its connected devices.
The Microsoft team has also released a list of recommendations for devices that can’t immediately be patched, those include:
• Reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet.
• Implementing network security monitoring to detect behavioral indicators of compromise.
• Strengthening network segmentation to protect critical assets.
Source: https://www.bleepingcomputer.com/news/security/microsoft-finds-critical-code-execution-bugs-in-iot-ot-devices/?&web_view=true
