This is a significant potential risk for medical, industrial and enterprise networks fully vested in ‘smart’ devices and gadgets.

A wide range of IoT and OT devices in industrial, medical and enterprise networks have been found to be vulnerable to memory allocation vulnerabilities, according to a Microsoft security research group’s announcement on 29 April 2021.

These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.

These flaws, collectively known as ‘BadAlloc’, exist in standard memory allocation functions spanning widely-used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.

The disclosure noted: “Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds. To date, Microsoft has not seen any indications of these vulnerabilities being exploited. However, we strongly encourage organizations to patch their systems as soon as possible.”

Patching vulnerabilities in time

Despite early warnings of IoT device vulnerabilities, they have been put into widespread use without adequate safeguards and protective vigilance.

Heating regulators, cameras, doorbells, television sets, radios, watches, headphones, cars… All of these devices are now interconnected—often connected directly to the Internet. Although this delivers a multitude of benefits, it also poses a constant threat as devices become increasingly accessible to bad actors.

Commented Boris Cipot, Senior Security Engineer, Synopsys Software Integrity Group: It is critical that steps are taken to mitigate the risks and to avoid direct exposure, including limiting network availability or segmenting the network. Equally important, is the need to patch devices if security flaws such as BadAlloc are found.”

It is an undeniable fact that IoT software will likely have security vulnerabilities, so a patch strategy has to be in place, said Cipot. “Firstly, you need to know what kind of hardware and software you are using. Plugins and extensions fall into this category too. Then, you need to follow the vendors or open source communities that take care of the software you are using in order to know when the software needs to be patched or upgraded. If you have the devices directly connected to the internet, then you might benefit from automatic updates. Nevertheless, it is important to be aware that not all of the devices have an OTE update feature and in many security-aware locations, they are not permitted. Even if devices are behind a firewall or even in a separate network, make sure that you schedule update windows for those devices and follow through with them.”

Attack surfaces enlarged in IoT/OT

In response to the BadAlloc disclosure, Oded Vanunu, Head of Product Vulnerability Research, Check Point Software Technologies noted that IoT/OT systems are considered ‘easy’ gates for malicious actors to enter through, since these devices are usually getting less security attention with security software updates and have access to public networks. “Potentially all vulnerabilities reported by Microsoft can allow running remote code on the devices and grant full control on the device which can assist with continuing the attack to the corporate or home networks.” 

Vanunu reiterated the often-reiterated cybersecurity measures that CybersecAsia.net has been publishing regularly: ensure prompt application of vendor security updates, minimize network exposure for all control system devices and/or systems; and ensure that they are not accessible to the Internet. That is on top of having firewalled business networks segregated from exposed segments.

“When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also, remember that VPN is only as secure as its connected devices,” Vanunu said.