Researchers in Microsoft’s Section 52, the Azure Defender for IoT security research group, identified over two dozen flaws that could potentially impact a wide range of consumer, medical devices as well as industrial control systems.
The vulnerabilities, dubbed BadAlloc by the researchers, stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more.
We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.
- We've put together a list of the best endpoint protection software
- Here's our choice of the best malware removal software on the market
- And, these are the best firewall apps and services
These memory allocation functions are widely used in multiple real-time operating systems (RTOS), C standard library (libc) implementations, and embedded software development kits (SDKs).
The vulnerabilities were found and reported to the US Cybersecurity and Infrastructure Security Agency (CISA) and have been successfully mitigated.
"Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations," wrote the Microsoft Security Response Center (MSRC) team.
They add that due to the lack of proper input validation, an attacker could have exploited the memory allocation function to perform a heap overflow, which would have allowed them to trigger system crashes or execute malicious code on the vulnerable device.
In its advisory, CISA lists the exact products that are affected by the BadAlloc vulnerabilities, along with a link to their available or upcoming mitigations.
It also notes that while it isn’t aware of any active exploitation of the BadAlloc vulnerabilities in the wild, organizations are asked to keep an eye out and report any malicious activity that seems to exploit the BadAlloc vulnerabilities.
- Protect your devices with these best antivirus software
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.