Cybersecurity officials and experts are warning of vulnerabilities found in 25 widely used real-time operating systems and supporting libraries that power commonly used IoT devices and internet-connected intelligent systems.
Microsoft’s Section 52, the Azure Defender for IoT research group, uncovered the critical memory allocation vulnerabilities that could be exploited to bypass security controls to execute malicious code or cause a system crash.
The company is calling the series of vulnerabilities BadAlloc. They all stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more, according to Microsoft.
“The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations,” Microsoft’s Security Response Center said in a blog. “These findings have been shared with vendors through responsible disclosure led by the Microsoft Security Response Center (MSRC) and the Department of Homeland Security (DHS), enabling these vendors to investigate and patch the vulnerabilities.”
There are more than 25 vulnerabilities and they could impact a wide range of domains, including consumer and medical IoT, industrial IoT, operational technology and industrial control systems.
The U.S. Cybersecurity and Infrastructure Agency also released an advisory on the vulnerabilities, including recommended mitigation steps and more details on each vulnerability.
Here is a list of the affected products, per CISA:
- Amazon FreeRTOS, Version 10.4.1
- Apache Nuttx OS, Version 9.1.0
- ARM CMSIS-RTOS2, versions prior to 2.1.3
- ARM Mbed OS, Version 6.3.0
- ARM mbed-uallaoc, Version 1.3.0
- Cesanta Software Mongoose OS, v2.17.0
- eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
- Google Cloud IoT Device SDK, Version 1.0.2
- Linux Zephyr RTOS, versions prior to 2.4.0
- Media Tek LinkIt SDK, versions prior to 4.6.1
- Micrium OS, Versions 5.10.1 and prior
- Micrium uCOS II/uCOS III Versions 1.39.0 and prior
- NXP MCUXpresso SDK, versions prior to 2.8.2
- NXP MQX, Versions 5.1 and prior
- Redhat newlib, versions prior to 4.0.0
- RIOT OS, Version 2020.01.1
- Samsung Tizen RT RTOS, versions prior 3.0.GBB
- TencentOS-tiny, Version 3.1.0
- Texas Instruments CC32XX, versions prior to 4.40.00.07
- Texas Instruments SimpleLink MSP432E4XX
- Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
- Uclibc-NG, versions prior to 1.0.36
- Windriver VxWorks, prior to 7.0
A quick Google search of some of those operating systems reveals they are used in audio processors, smart speakers, communication devices, security cameras, sensors, avionics, medical equipment and more.
Cybersecurity company Malwarebytes also published a blog on the vulnerabilities, saying the affected products are widely used in smart, Internet-connected devices.
“The number of affected devices could be enormous,” the company said.