Azure Defender security team discovers that memory allocation is a systemic problem that can allow threat actors to execute malicious code remotely or cause entire systems to crash.
Security
researchers at Microsoft are warning the industry about 25 as-yet undocumented
critical memory-allocation vulnerabilities across a number of vendors’ IoT and
industrial devices that threat actors could exploit to execute malicious code
across a network or cause an entire system to crash.
Dubbing the
newly discovered family of vulnerabilities “BadAlloc,” Microsoft’s Section
52—which is the Azure Defender for IoT security research group–said the flaws
have the potential to affect a wide range of domains, from consumer and medical
IoT devices to industry IoT, operational technology, and industrial control
systems, according to a report published
online Thursday by the Microsoft Security Response Center (MSRC).
“Our research shows that memory
allocation implementations written throughout the years as part of IoT devices
and embedded software have not incorporated proper input validations,”
according to the report. “Without these input validations, an attacker could
exploit the memory allocation function to perform a heap overflow, resulting in
execution of malicious code on a target device.”
Memory
allocation is exactly what it sounds like–the basic set of instructions device
makers give a device for how to allocate memory. The vulnerabilities stem from
the usage of vulnerable memory functions across all the devices, such as
malloc, calloc, realloc, memalign, valloc, pvalloc, and more, according to the
report.
From what
researchers have found, the problem is systemic, so it can exist in various
aspects of devices, including real-time operating systems (RTOS), embedded
software development kits (SDKs), and C standard library (libc)
implementations, they said. And as IoT and OT devices are highly pervasive,
“these vulnerabilities, if successfully exploited, represent a significant
potential risk for organizations of all kinds,” researchers observed.
On a positive
note, Microsoft Section 52 said it has not seen any of the vulnerabilities as
yet exploited in the wild. Researchers have disclosed their findings with the
vendors whose devices are affected through responsible disclosure led by the
MSRC and the Department of Homeland Security (DHS), leaving vendors now to
investigate and patch the vulnerabilities, if appropriate.
A separate
advisory by the Cybersecurity Infrastructure and Security Agency includes a full list of
affected devices, which comprise a number of products from Texas Instruments as
well as others from ARM, Samsung and Amazon, among other vendors.
Of that list of
25 devices, 15 already have updates. Meanwhile, some vendors do not expect to
have updates to fix the problem for various reasons, and others will release
fixes at a later date, according to the advisory.
If administrators
running networks on which affected devices are present can’t apply patches to
fix the problem, the CISA and Microsoft have recommended other mitigations.
The CISA
recommends minimizing network exposure for all control system devices and/or systems
to ensure that they are not accessible by the internet, which makes them
low-hanging fruit for threat actors.
The agency also
advised that system administrators practice network segmentation, isolating
system networks and remote devices from the business network as well as putting
them behind firewalls. If remote access to these devices is required, secure
methods should be used, such as VPNs that are updated with the latest security
protocols, the CISA said.
Microsoft
recommends similar mitigations but also suggested that administrators implement
more careful and continuous monitoring of devices on networks “for anomalous or
unauthorized behaviors, such as communication with unfamiliar local or remote
hosts.”
Comments
Post a Comment