Memory allocation vulnerabilities could affect a wide range of IoT and OT devices in industrial, medical and enterprise networks, according to security researchers at Microsoft.

Microsoft’s Section 52, the Azure Defender for IoT security research group, recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices that adversaries could exploit to bypass security controls to execute malicious code or cause a system crash.

These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to industrial IoT, operational technology (OT), and industrial control systems.

The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits and C standard library implementations. These findings have been shared with vendors through responsible disclosure led by the Microsoft Security Response Center (MSRC) and the US Department of Homeland Security (DHS), enabling these vendors to investigate and patch the vulnerabilities.

Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organisations of all kinds. To date, Microsoft has not seen any indications of these vulnerabilities being exploited. However, it strongly encourages organisations to patch their systems as soon as possible.

At the same time, it recognises that patching IoT and OT devices can be complex. For devices that cannot be patched immediately, it recommends mitigating controls such as: reducing the attack surface by minimising or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioural indicators of compromise; and strengthening network segmentation to protect critical assets.

Microsoft Azure RTOS Thread X is not vulnerable in its default configuration. The Azure RTOS Thread X documentation has been updated to state that it is “only safe to disable error checking if the application can absolutely guarantee all input parameters are always valid under all circumstances, including input parameters derived from external input”.

BadAlloc is the name assigned by Microsoft’s Section 52 to the family of vulnerabilities discovered in embedded IoT and OT operating systems and software to describe this class of memory overflow vulnerabilities. All these vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc and pvalloc.

The research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.

The memory allocation vulnerabilities can be invoked by calling the memory allocation function, such as malloc(VALUE), with the VALUE parameter derived dynamically from external input and being large enough to trigger an integer overflow or wraparound.

The concept is as follows: When sending this value, the returned outcome is a freshly allocated memory buffer. While the size of the allocated memory remains small due to the wraparound, the payload associated with the memory allocation exceeds the actual allocated buffer, resulting in a heap overflow. This heap overflow enables an attacker to execute malicious code on the target device.

Microsoft recommends the following mitigations for organisations with IoT and OT devices:

• Patch. Follow vendor instructions for applying patches to the affected products.
• If you can’t patch, monitor. Since most legacy IoT and OT devices don’t support agents, use IoT and OT-aware network detection and response (NDR) products such as Azure Defender for IoT and SIEM/SOAR offering such as Azure Sentinel to auto-discover and continuously monitor devices for anomalous or unauthorised behaviour, such as communication with unfamiliar local or remote hosts. These are essential elements of implementing a zero-trust strategy for IoT and OT.
• Reduce the attack surface by eliminating unnecessary internet connections to OT control systems and implementing VPN access with multi-factor authentication when remote access is required. The DHS warns that VPN devices may also have vulnerabilities and should be updated to the most current version available.
• Segment. Network segmentation is important for zero trust because it limits the attacker’s ability to move laterally and compromise crown jewel assets after the initial intrusion. In particular, IoT devices and OT networks should be isolated from corporate IT networks using firewalls.

Microsoft’s Section 52 is the security research group for Azure Defender for IoT. The group is comprised of security researchers and data scientists with deep domain expertise in IoT and OT threat hunting, malware reverse engineering, incident response, and data analysis. The group also provides threat intelligence updates to Azure Defender for IoT, enabling detection and mitigation of the most recent IoT and OT vulnerabilities and threats.