On 29 April 2021, Microsoft released a report on 25 critical memory allocation flaws in internet-of-things (IoT) and operational technology (OT) devices that are commonly connected to industrial, medical, and enterprise networks.
- Separately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory with a list of affected devices and recommendations on applying the security patches.
- The flaws, collectively dubbed “BadAlloc”, exist in standard functions used in real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.
- The memory allocation implementations in the affected devices are missing proper input validations. This could allow threat actors to perform a heap overflow, execute malicious code or cause a denial-of-service (DoS) condition.
- The most severe of the flaws has been assigned a CVSS v3 score of 9.8.
Why it’s important
- The listed devices serve as an easy entry to a network, if left unpatched and/or poorly implemented.
- We recommend applying the vendor patches and reviewing CISA mitigations.
- The fixes are currently in progress by the affected vendors, including Amazon, ARM, Cesanta, Google Cloud, Samsung, Texas Instruments and Tencent.
- Check CISA advisory for a complete list of vulnerable products, as well as the patches currently available.