Section 52, a security research group for Azure Defender for IoT, has found several memory allocation issues in code for the Internet of Things (IoT) and operational technology (OT) devices such as industrial control systems. The security holes could lead to code execution.
The vulnerabilities have been dubbed BadAlloc and are related to improper input validation which can lead to heap overflows and eventually remote code execution.
“All of these vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more,” the Section 52 research team wrote in a blog post.
An attacker can pass specially-crafted external input to these functions and cause an integer overflow or wraparound as values to the functions.
“The concept is as follows: When sending this value, the returned outcome is a freshly allocated memory buffer,” the team explained.
“While the size of the allocated memory remains small due to the wraparound, the payload associated with the memory allocation exceeds the actual allocated buffer, resulting in a heap overflow. This heap overflow enables an attacker to execute malicious code on the target device.”
Microsoft said it involved the US Department of Homeland Security and alerted the impacted vendors. Prior to public disclosure, the company has released patches for the mentioned vulnerabilities.
The company gives a list of affected products in an advisory which includes devices from Google Cloud, Amazon, Arm, Red Hat, Texas Instruments, and Samsung Tizen. CVSS v3 scores range from 3.2 in the case of Tizen to 9.8 for Red Hat newlib prior to version 4.
Microsoft urges the companies using the affected appliances to apply the patches. But since industrial equipment can be hard to update, Microsoft suggests disconnecting devices from the internet, monitoring network for possible anomalies, removing internet connections where possible, and segmenting networks.
“Network segmentation is important for zero trust because it limits the attacker’s ability to move laterally and compromise your crown jewel assets, after the initial intrusion,” the team wrote. “In particular, IoT devices and OT networks should be isolated from corporate IT networks using firewalls.”