BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw

Updated Microsoft has taken a look at memory management code used in a wide range of equipment, from industrial control systems to healthcare gear, and found it can be potentially exploited to hijack devices.

The Windows giant has urged folks to get the latest firmware releases that address the holes, and test and deploy them, if possible. And if not, take steps to segment devices on the network, monitor them, and reduce access to them to lessen the blow if a compromise occurs.

Drilling down to the nitty-gritty: Microsoft's Azure Defender for IoT security research group looked at memory allocation functions, such as malloc(), provided by real-time operating systems, standard C libraries, and software development kits all aimed at embedded electronics: that's Internet-of-Things (IoT) devices, industrial control systems, and so-called operational technology (OT).

The team found a programming blunder common among much of the software: integer overflows during heap memory allocation. This occurs when an attacker is able to, usually via malicious data inputs, trick application code into making a very large memory allocation for a buffer to hold further incoming information.

The trouble is that a vulnerable memory allocator could take that large size – eg, 0xffffffff on a 32-bit embedded system – and add something like 8 to it because the requested memory block needs eight bytes of metadata to describe it. The size then overflows to 7 and the allocator finds space in memory that's seven bytes in size for the requested buffer.

The allocator returns a pointer to that small space to the application, which assumes the allocation succeeded for the huge request, and then copies way more than seven bytes of data into the buffer from the attacker. This causes the application to overwrite the memory allocation metadata, structures, and contents. Now the attacker who sent over the data can take full control of the system by overwriting function pointers or altering other values.

The allocations should fail due to the large sizes, but the integer overflow allows them to partially succeed and in a way that's exploitable. To pull this off, an attacker would need to be able to feed data to the application – either as a file or network traffic or whatever – that causes it to allocate a huge block of heap memory. It would be nice if application code trapped oversize allocations, but in any case, Microsoft found OS and library-level code let it all sail through, too, due to the overflows.

The integer overflow bugs would make make solid stepping stones for those wishing to exploit poor data sanitization in embedded applications to achieve remote code execution, we reckon. We're told no one's done that yet.

"Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds," the team at Microsoft Security Response Center wrote in an advisory.

"To date, Microsoft has not seen any indications of these vulnerabilities being exploited. However, we strongly encourage organizations to patch their systems as soon as possible.

Microsoft has not seen any indications of these vulnerabilities being exploited

"At the same time, we recognize that patching IoT/OT devices can be complex. For devices that cannot be patched immediately, we recommend mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets."

What is affected? Good question. The US government's Cybersecurity and Infrastructure Security Agency (CISA) has a summary here. There are 25 pieces of software listed, ranging from Arm's Mbed OS and Amazon's FreeRTOS to the Google Cloud's IoT Device SDK and Red Hat's newlib to Windriver's VxWorks, all used in a load of gear.

Most of them have a CVSS severity of about 7.3 out of 10, due to the steps needed to be taken to exploit them, though newlib's CVE-2021-3420 gets 9.8.

CISA also thanked Microsofties David Atch, Omri Ben Bassat, and Tamir Ariel for finding and reporting the flaws.

Microsoft, which is no stranger to buggy operating systems, shared its advisory here earlier today. ®

Updated to add on August 17

We note that BlackBerry's QNX 6.5.0SP1, QNX OS for Safety 1.0.2, and QNX OS for Medical 1.1.1 have been added to the list of vulnerable operating systems, with updates available.