BadAlloc vulnerabilities wreck havoc in IoT, OT devices in industrial, medical, enterprise networks

Following the disclosure by Microsoft’s IoT security research group of the presence of BadAlloc vulnerabilities in IoT and operational technology (OT) devices, industrial cybersecurity firm Claroty said that their existence amplifies several hallmarks of insecurities in IoT. 

These include memory allocation implementations that lack proper input validation, which would hamper an attacker’s ability to perform heap overflow attacks and run code of their choice on industrial IoT devices, OT networks or control systems, the Claroty Research team said in a blog post on Thursday.

At least 25 documented BadAlloc vulnerabilities exist in standard memory allocation functions spanning widely-used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.  

In industrial environments with substantial legacy software and equipment, this can introduce additional risk for a number of reasons, including intolerance for the downtime required to update systems, some devices that cannot be reached, and the lack of an update mechanism altogether, according to the Claroty Research team.

Some organizations may also lack innate security resources and cybersecurity may only be a secondary responsibility for an OT network operator, for example. In that case, there could be a lack of awareness and visibility into vulnerabilities in this environment, it added.

The Cybersecurity and Information Security Agency (CISA) also updated Thursday its earlier advisory on the BadAlloc vulnerabilities that were found in multiple RTOS and supporting libraries found in process systems deployed in the critical infrastructure sector. The various open-source products may be implemented in forked repositories. 

David Atch, Omri Ben Bassat, and Tamir Ariel from Microsoft Section 52, and the Azure Defender for IoT research group reported these vulnerabilities to CISA.

‘BadAlloc’ is the name assigned by Microsoft’s Section 52 to the family of vulnerabilities discovered in embedded IoT and OT operating systems and software to describe this class of memory overflow vulnerabilities. The loopholes enable adversaries to bypass security controls in order to execute malicious code or cause a system crash, as the high-risk bugs expose businesses to remote code execution attacks.

RTOS are pervasive and exist inside embedded systems, including industrial IoT devices, but also in critical Purdue Model Level 1 and 2 gear, such as programmable logic controllers (PLCs), remote terminal units (RTUs) and human-machine interfaces (HMIs). 

Most RTOS within PLCs, for example, interpret the ladder logic that programs the controller. In manufacturing environments, PLCs must operate as close to real-time as possible, and the RTOS ensures that functionality; they provide deterministic responses to external events. On the contrary, Windows and Unix operating systems stay responsive to user inputs.

Unlike conventional operating systems, the scheduler inside an RTOS is predictable, ensuring capabilities are available within a particular time allocation, usually measured in tenths of a second. RTOS’ power is in its scheduler, affording operators the ability to prioritize critical processing. RTOS’ also have smaller code bases, and because of the way they run are efficient and easier to maintain. Operators have flexibility in choosing from numerous open-source RTOS, and many are safety certified, a key consideration in industrial environments.

Embedded systems, including industrial control systems (ICS), have such requirements and must be responsive within a defined deadline, otherwise, for example, production systems may fail because a robot would be late in responding. 

CISA advised users a number of mitigations, including monitoring the ICS-CERT advisory for updates from affected vendors. Many vendors have already provided updates, have updates in progress, or no longer support and update vulnerable RTOS versions. 

The ICS-CERT also advises segmenting control system networks from business networks, and not connecting them directly to the internet. It also recommended that control system networks and remote devices should be located behind firewalls, and updated VPNs (virtual private networks) used for remote access.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.