Microsoft uncovers critical security bugs in IoT devices

IoT
(Image credit: Pixabay)

Microsoft security researchers have discovered a series of critical remote code execution (RCE) vulnerabilities in Internet of Things (IoT) and Operational Technology (OT) devices.

Researchers in Microsoft’s Section 52, the Azure Defender for IoT security research group, identified over two dozen flaws that could potentially impact a wide range of consumer, medical devices as well as industrial control systems.

The vulnerabilities, dubbed BadAlloc by the researchers, stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more.

TechRadar needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

These memory allocation functions are widely used in multiple real-time operating systems (RTOS), C standard library (libc) implementations, and embedded software development kits (SDKs).

The vulnerabilities were found and reported to the US Cybersecurity and Infrastructure Security Agency (CISA) and have been successfully mitigated.

Improper validation

"Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations," wrote the Microsoft Security Response Center (MSRC) team.

They add that due to the lack of proper input validation, an attacker could have exploited the memory allocation function to perform a heap overflow, which would have allowed them to trigger system crashes or execute malicious code on the vulnerable device.

In its advisory, CISA lists the exact products that are affected by the BadAlloc vulnerabilities, along with a link to their available or upcoming mitigations.

It also notes that while it isn’t aware of any active exploitation of the BadAlloc vulnerabilities in the wild, organizations are asked to keep an eye out and report any malicious activity that seems to exploit the BadAlloc vulnerabilities.

Via BleepingComputer

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.