Microsoft finds security flaw in memory allocation code

Get a free Techzine subscription!

BadAlloc Integer overflows affect things like IoT, OT, medical gear, leaving them vulnerable to hacks

Microsoft security researchers have discovered more than 20 critical remote code execution (RCE) vulnerabilities in Internet of Things (IoT) devices and operational technology (OT) industrial systems.

These 25 security vulnerabilities are collectively called “BadAlloc”. Memory allocation integer overflow or wraparound errors are what cause the vulnerabilities. Attackers can use them to trigger system crashes and remotely execute malicious code on IoT and OT systems.

BadAlloc is the name Microsoft’s Section 52 gave to this family of vulnerabilities discovered in embedded IoT and OT operating systems and software.

All of these vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more.

BadAlloc vulnerabilities could affect wide range of IoT and OT devices in industrial, medical, and enterprise networks

The Microsoft Security Response Center wrote about the BadAlloc threat in an advisory issued on April 29. “Microsoft’s Section 52, the Azure Defender for IoT security research group, recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices that adversaries could exploit to bypass security controls in order to execute malicious code or cause a system crash,” they wrote.

These remote code execution (RCE) vulnerabilities cover more than 25 CVEs . They potentially affect a wide range of domains, according to Microsoft. These include consumer and medical IoT, Industrial IoT, Operational Technology (OT), and industrial control systems.

Microsoft recommends mitigating controls such as reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet.

Implementing network security monitoring to detect behavioral indicators of compromise is another solution. They also suggest strengthening network segmentation to protect critical assets.

For a full list of affected products and CVEs, please visit the DHS website: ICSA-21-119-04 Multiple RTOS .