On 29 April 2021, Microsoft released a report on 25 critical memory allocation flaws in internet-of-things (IoT) and operational technology (OT) devices that are commonly connected to industrial, medical, and enterprise networks.
Separately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory with a list of affected devices and recommendations on applying the security patches.
The flaws, collectively dubbed "BadAlloc", exist in standard functions used in real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.
The memory allocation implementations in the affected devices are missing proper input validations. This could allow threat actors to perform a heap overflow, execute malicious code or cause a denial-of-service (DoS) condition.
The most severe flaw has been assigned a CVSS v3 score of 9.8.
Why it's important
The listed devices serve as an easy entry to a network, if left unpatched and/or poorly implemented.
We recommend applying the vendor patches and reviewing CISA mitigations.
The fixes are currently in progress by the affected vendors, including Amazon, ARM, Cesanta, Google Cloud, Samsung, Texas Instruments and Tencent.
Check the CISA advisory for a complete list of vulnerable products, as well as the patches currently available.