Microsoft Section 52 research team discovered 25 critical vulnerabilities affecting various internet of things (IoT) and operational technology (OT) devices.
The Azure Defender for IoT security group warned that threat actors could exploit the critical memory allocation vulnerabilities to bypass various security controls and execute malicious codes remotely.
The security flaws dubbed “BadAlloc” affect several vendors’ devices in a wide range of domains including consumer electronics, medical IoT, and industrial control (ICS) systems.
Lack of input validation responsible for IoT security critical vulnerabilities
Microsoft’s research team noted that various IoT device vendors failed to implement input validation allowing attackers to inject malicious code.
“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations,” the report stated. “Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.”
The researchers added that the critical memory allocation vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and others to allocate memory.
The IoT security critical vulnerabilities can be triggered by calling the vulnerable function and passing a parameter from an external input, for example, malloc(MALICIOUS_INPUT). The parameter must be large enough to trigger an overflow, system crash, or a workaround.
Memory allocation problem systemic across devices and implementations
The researchers found that the memory allocation problem persisted across various areas including the C standard library (libc), real-time operating systems (RTOS), and embedded software development kits (SDKs).
Microsoft researchers noted that they had not observed real-world exploitation of the IoT security critical vulnerabilities. However, they noted that if successfully exploited, they posed significant risks to all types of organizations.
Microsoft informed the Department of Homeland Security’s Critical Infrastructure and Security Agency (DHS-CISA) of the IoT security critical vulnerabilities. They also disclosed their findings to device vendors allowing them to further investigate the problem.
DHS-CISA released a list of vulnerable devices, including Amazon, ARM, Samsung, Texas Instruments, among others. Affected SDKs include Google Cloud IoT Device SDK and Media Tek LinkIt SDK before v. 4.6.1. Real-time and IoT operating systems containing BadAlloc bugs include Amazon FreeRTOS, v. 10.4.1, Samsung Tizen RT RTOS before version 3.9.GBB, and Apache Nuttx OS, Version 9.1.0.
Some vendors uninterested in patching the IoT security flaws
Fifteen devices released patches for the critical IoT security flaws, while others have planned fix releases.
Surprisingly, some device vendors do not plan to patch the exposed IoT security critical vulnerabilities. However, system administrators can apply various mitigations recommended by CISA and Microsoft for minimizing network exposure.
Suggested mitigations include network segmentation, isolating vulnerable networks and devices, and setting various firewall rules.
The researchers also recommended continuous network monitoring for suspicious behaviors such as requests to unknown remote hosts.
Additionally, network administrators could disconnect OT devices or use VPNs with an additional layer of security, such as multi-factor authentication. The extra security layer is necessary because VPN appliances could have various critical vulnerabilities, thus further exposing the networks.
Commenting on IoT security flaws, Tal Ben-David, VP R&D and co-founder of Karamba Security, said:
“Manufacturers can’t assert that such third-party OS and libraries are black boxes to them. Given the mission critical and life, risking devices that are affected by the reported vulnerabilities, IoT and Edge device manufacturers can leverage the deterministic nature of such devices and protect them against the exploitation of hidden issues in their binaries and in the OS and third-party software that they use.”
He suggested that organizations could prevent threat actors from exploiting the IoT security vulnerabilities by “adding deterministic runtime defense controls” such as data execution prevention and control flow integrity.
“Most of the announced vulnerabilities will not be trivial to exploit (only one of them received a Critical CVSS score),” Ilya Khivrich, Chief Scientist at Vdoo, said. “More importantly, the practical exploitability of the vulnerabilities will depend on the code using the memory allocation libraries which in which the bugs were found.”
Khivrich added that the discovery of the 25 critical vulnerabilities highlighted the importance of understanding the software components present in devices and their configurations.
“The discovered vulnerabilities cover quite a large range of platforms commonly used in IoT devices, and verifying the used library versions and applying updates or patches will be the most important step. In order to identify similar additional vulnerabilities in these and other libraries, companies should use in-depth testing techniques such as API fuzzing.”
“The vulnerabilities presented by Microsoft’s Section 52 affecting the memory allocators are a perfect example of how security issues that have been solved in consumer operating systems years ago, are still very present in the OT world,” said Andrea Carcano, Co-Founder of Nozomi Networks.