Microsoft Finds Memory Allocation Vulnerabilities Affecting IIoT Devices

May 19, 2021 by Alessandro Mascellino

Microsoft’s Section 52 discovered a series of critical memory allocation vulnerabilities in several IoT and operational technology (OT) tools.

The Azure Defender for IoT security research group, Section 52, said attackers could exploit the vulnerabilities to bypass security controls and execute malicious code or crash the systems.


The IoT Azure Defender Security Centre alerts users about potential threats. Image used courtesy of Microsoft


The flaws reportedly affected a total of 25 software solutions in industrial and medical IoT, as well as OT and industrial control systems.


The BadAlloc Vulnerabilities 

The term “BadAlloc” defines the latest family of vulnerabilities discovered by Microsoft’s Section 52. All of the risks reportedly stem from using vulnerable memory functions like malloc, calloc, realloc, memalign, valloc, and pvalloc.

“Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device,” reads a blog post on the Microsoft Security Response Center.

As far as industrial vulnerabilities are concerned, BadAlloc affected many software tools by Texas Instruments, most of them from the SimpleLink wireless connectivity family. Other products affected by the new vulnerabilities were from Amazon, ARM, Google, and Samsung, among others.


Azure Defender can protect devices with a risk-based approach. Image used courtesy of Microsoft


Exploiting such flaws in industrial scenarios has already led to several incidents in the last few years. For example, ransomware has recently hit two U.S. pipelines, shutting down the pipelines for two and six days, respectively. More recently, many industrial manufacturers reported cybersecurity incidents caused by malicious actors.

To tackle these issues, the U.S. government unveiled new plans to protect electric utilities, water districts, and other critical control systems from cyberattacks.


Employing Effective Mitigation Strategies

The BadAlloc vulnerabilities were addressed in an advisory from the Cybersecurity and Infrastructure Security Agency (CISA). In the document, CISA assigned each of the flaws a separate CVSS (Common Vulnerability Scoring System) score. For context, CVSS assesses severity scores to vulnerabilities from zero to ten, with ten being the most severe. 

The BadAlloc vulnerabilities received vastly different CVSS scores. The majority of them received a base score of 7.3, but the Redhat newlib—a C library intended for embedded systems—scored an all-high of 9.8. However, the advisory clarified that most of these vulnerabilities have been patched by the respective companies, and provided links to the individual updates.

CISA has also encouraged companies utilizing equipment affected by the BadAlloc vulnerabilities to minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. 


Azure Defender can protect industrial IoT/OT environments with automated monitoring. Image used courtesy of Microsoft


If a network connection is required, the Agency recommends using secure virtual private networks (VPNs). In addition, all control system networks and devices subject to the new vulnerabilities should be placed behind firewalls and isolated from the business network. 

CISA offers an extensive selection of recommended practices to help industrial companies keep their systems safe. The Agency also released a Ransomware Prevention guide last October.

Featured image used courtesy of Microsoft