While the flaws are collectively called "BadAlloc" as the vulnerabilities stem from usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and many more. The vulnerabilities cover more than 25 CVEs and affects a wide range of critical domains, ranging from consumer and medical IoT to Industrial IoT, Operational Technology, and industrial control systems.
BadAlloc is rooted in memory allocation functions spanning widely used C standard library (libc) implementations, real-time operating systems (RTOS), and embedded software development kits (SDKs).
How BadAlloc Flaws affects IoT and OT Devices?
Microsoft research shows that memory allocation implementations written as part of IoT devices and embedded software haven't incorporated proper input validations. And without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on target devices.
The vulnerabilities can be invoked by calling the memory allocation function, such as malloc(VALUE), with the VALUE parameter derived from external input dynamically and being large enough to trigger an integer overflow or wraparound.
And the successful exploitation of these vulnerabilities could result in unexpected scenarios such as a remote code execution or injection, or even system crash, as stated by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in a security advisory released on April 29, 2021.
How Organizations can secure their Systems from exploitation?
Though, there is no evidence of these vulnerabilities being exploited in the wild, but the availability of the patches could allow bad actors to use a technique known as "patch diffing" to reverse engineer the fixes to leverage on it to potentially weaponize any vulnerable versions of the software.
Therefore, CISA recommends that organizations should apply vendor updates as soon as possible, and set up firewall barriers, and isolate critical system networks from business network, to curtail exposure of control systems to ensure they remain inaccessible from the internet.