03.05.2021 Multiple Vulnerabilities in IoT and OT Devices Require Patching

by Elena Lapina

On 29 April 2021, Microsoft released a report on 25 critical memory allocation flaws in internet-of-things (IoT) and operational technology (OT) devices that are commonly connected to industrial, medical, and enterprise networks. 



  • Separately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory with a list of affected devices and recommendations on applying the security patches.
  • The flaws, collectively dubbed “BadAlloc”, exist in standard functions used in real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.
  • The memory allocation implementations in the affected devices are missing proper input validations. This could allow threat actors to perform a heap overflow, execute malicious code or cause a denial-of-service (DoS) condition.
  • The most severe of the flaws has been assigned a CVSS v3 score of 9.8.

Why it’s important

  • The listed devices serve as an easy entry to a network, if left unpatched and/or poorly implemented.
  • We recommend applying the vendor patches and reviewing CISA mitigations.
  • The fixes are currently in progress by the affected vendors, including Amazon, ARM, Cesanta, Google Cloud, Samsung, Texas Instruments and Tencent.
  • Check CISA advisory for a complete list of vulnerable products, as well as the patches currently available.

References: CISA


Request Demo

Fill out the form and we will send you details about our demo.