Multiple IoT devices affected by BadAlloc Vulnerabilities
Multiple IoT devices affected by BadAlloc Vulnerabilities
THREAT LEVEL: Red.
For a detailed advisory, download the pdf file here.
More than 25 vulnerabilities have been found in multiple IoT and OT devices which have been collectively named as BadAlloc Vulnerabilities. These Vulnerabilities reside in the standard memory allocation functions that are used in RTOS(real-time operating systems), SDKs(Software development kits) and C standard library implementations. These vulnerabilities could be easily exploited by attackers by executing malicious code and trigger DoS conditions. However, none of these vulnerabilities have been exploited as of now.
Vulnerability Details
For details, please refer to the pdf version of the advisory here
Patch Links
https://github.com/FreeRTOS/FreeRTOS-Kernel/pull/224 https://github.com/apache/incubator-nuttx https://github.com/ARMmbed/mbed-os/pull/14408 https://github.com/cesanta/mongoose-os https://bugzilla.ecoscentric.com/show_bug.cgi?id=1002437 https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/pull/119/files https://www.silabs.com/developers/micrium-os https://mcuxpresso.nxp.com/en/welcome https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git https://github.com/RIOT-OS/RIOT https://github.com/Samsung/TizenRT https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html https://downloads.uclibc-ng.org/releases/
References
- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04
- https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/
- https://threatpost.com/microsoft-warns-25-critical-iot-industrial-devices/165752/