The security research group for Azure Defender for IoT, nicknamed Section 52, has just discovered flaws in memory allocation in the code used by many connected objects, exploited in operational functions, such as industrial control systems , which could lead to the execution of malicious code. Under the name BadAlloc vulnerability, they are related to improper validation of inputs, which leads to heap overflows and can ultimately result in code execution.
“All of these vulnerabilities stem from the use of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more,” the research team wrote in a blog post. Using these functions becomes problematic when passing external data to them that could cause integer overflow or wraparound as values. “The concept is this: When sending this value, the returned result is a freshly allocated memory buffer,” the team explains.
“Although the allocated memory size remains small due to the wraparound, the payload associated with allocating memory exceeds the actually allocated buffer, resulting in heap overflow. This heap overflow allows an attacker to execute malicious code on the target device. “
Many connected objects concerned
Microsoft says it has worked with the US Department of Homeland Security to alert affected vendors and fix vulnerabilities. The list of products affected in the advisory includes devices from Google Cloud, Arm, Amazon, Red Hat, Texas Instruments, and Samsung Tizen. CVSS v3 scores range from 3.2, in the case of Tizen, to 9.8, for Red Hat newlib prior to version 4.
As with most vulnerabilities, Microsoft’s first tip is to patch affected products, but with the potential for industrial equipment to be difficult to update, Redmond suggests disconnecting devices from the internet if possible or placing them behind. a VPN with 2FA authentication, to have some form of network security and monitoring to detect behavioral indicators of compromise, and to use network segmentation to protect critical assets.
“Network segmentation is important for zero-trust because it limits the attacker’s ability to move sideways and compromise your assets after the initial intrusion,” the team writes. “In particular, IoT devices and OT networks should be isolated from corporate IT networks using firewalls. “