BadAlloc IoT Vulnerabilities
BadAlloc is a collection of memory allocation vulnerabilities in a wide variety of real-time operating systems used in IoT and OT products across a wide range of industries including health, pharmaceutical, and manufacturing.
Summary
BadAlloc is a collection of memory allocation vulnerabilities in a wide variety of real-time operating systems used in IoT and OT products across a wide range of industries including health, pharmaceutical, and manufacturing.
Affected platforms
The following platforms are known to be affected:
Amazon FreeRTOS Versions: 10.4.1
Apache Nuttx Versions: 9.1.0
ARM CMSIS-RTOS2 Versions: all prior to 2.1.3
ARM Mbed OS Versions: 6.3.0
ARM mbed-uallaoc Versions: 1.3.0
BlackBerry QNX SDP Versions: 6.5.0 SP1 and earlier
BlackBerry QNX OS for Safety Versions: 1.0.1 and earlier safety products compliant with IEC 61508 and/or ISO 26262
BlackBerry QNX OS for Medical Versions: 1.1 and earlier safety products compliant with IEC 62304
Cesanta Software Mongoose OS Versions 2.17.0
eCosCentric eCosPro RTOS Versions: 2.01 to 4.5.3
Google Cloud IoT Device SDK Versions: 1.0.2
Media Tek LinkIt SDK Versions: all prior to 4.6.1
Micrium OS Versions: 5.10.1 and earlier
Micrium uC/OS: uC/LIB Versions: 1.38.xx, Version 1.39.00
NXP MCUXpresso SDK Versions: all prior to 2.8.2
NXP MQX Versions: 5.1 and earlier
Redhat newlib Versions: all prior to 4.0.0
RIOT OS Versions: 2020.01.1
Samsung Tizen RT RTOS Versions: all prior to 3.0.GBB
TencentOS-tiny Versions: 3.1.0
Texas Instruments CC32XX Versions: all prior to 4.40.00.07
Texas Instruments SimpleLink MSP432E4XX Versions: all
Texas Instruments SimpleLink-CC13XX Versions: all prior to 4.40.00
Texas Instruments SimpleLink-CC26XX Versions: all prior to 4.40.00
Texas Instruments SimpleLink-CC32XX Versions: all prior to 4.10.03
Uclibc-NG Versions: all prior to 1.0.36
Windriver VxWorks Versions: all prior to 7.0
Zephyr Project RTOS Versions: all prior to 2.5
Threat details
Introduction
Microsoft security researchers have discovered critical vulnerabilities, collectively known as BadAlloc, in a variety of real-time operating system (RTOS) used in Internet-of-Things (IoT) and operational technology (OT) products. They claim that a remote attacker could exploit these vulnerabilities to execute arbitrary code or cause-denial-of-service conditions on any products using the vulnerable platforms.
Vulnerability details
All 25 BadAlloc vulnerabilities appear to be the result of faulty implementations of various memory allocation functions in the affected platforms. The researchers found that the implementations used by the vulnerable systems do not adequately validate memory inputs, which results in some form of buffer overflow. By sending specially crafted inputs to a vulnerable system, an attacker could exploit the resulting over overflow to execute their own code on a target product.
Threat updates
| Date | Update |
|---|---|
| 26 Apr 2022 |
Update to CISA advisory
This cyber alert has been updated to reflect updated information of affected products, remediation advice, and current hyperlink to relevant CISA advisory. |
Remediation advice
All affected OS vendors have confirmed that they have updates to address the relevant BadAlloc vulnerabilities or are in the process of producing them. Affected organisations are encouraged to review the following list, and contact their relevant suppliers, to apply all necessary updates.
The following is a list of vendor update status (please note this list may not by comprehensive or current):
- Amazon FreeRTOS – Update available
- Apache Nuttx OS Version 9.1.0 – Update available
- ARM CMSIS-RTOS2 – Update in progress, expected in June
- ARM Mbed OS – Update available
- ARM mbed-ualloc – no longer supported and no fix will be issued
- Blackberry QNX 6.5.0SP1 – Update available and Public advisory available
- Blackberry QNX OS for Safety 1.0.2 – Update available and Public advisory available
- Blackberry QNX OS for Medical 1.1.1 – Update available and Public advisory available
- Cesanta Software mongooses – Update available
- eCosCentric eCosPro RTOS: Update to Versions 4.5.4 and newer – Update available
- Google Cloud IoT Device SDK – Update available
- Media Tek LinkIt SDK – MediaTek will provide the update to users. No fix for free version, as it is not intended for production use.
- Micrium OS: Update to v5.10.2 or later – Update available
- Micrium uCOS: uC/LIB Versions 1.38.xx, 1.39.00: Update to v1.39.1 – Update available
- NXP MCUXpresso SDK – Update to 2.9.0 or later
- NXP MQX – update to 5.1 or newer
- Redhat newlib – Update available
- RIOT OS – Update available
- Samsung Tizen RT RTOS – Update available
- TencentOS-tiny – Update available
- Texas Instruments CC32XX – Update to v4.40.00.07
- Texas Instruments SimpleLink CC13X0 – Update to v4.10.03
- Texas Instruments SimpleLink CC13X2-CC26X2 – Update to v4.40.00
- Texas Instruments SimpleLink CC2640R2 – Update to v4.40.00
- Texas Instruments SimpleLink MSP432E4 – Confirmed. No update currently planned
- uClibc-ng – Update available
- Windriver VxWorks – Update in progress. The following devices use Windriver VxWorks as their RTOS:
- Hitachi Energy GMS600 – See public advisory
- Hitachi Energy PWC600 – See public advisory
- Hitachi Energy REB500 – See public advisory
- Hitachi Energy Relion 670, 650 series and SAM600-IO – See public advisory
- Hitachi Energy RTU500 series CMU – Updates available for some firmware versions – See public advisory
- Hitachi Energy Modular Switchgear Monitoring System MSM – Protect your network – See public advisory
- Zephyr Project: Update to 2.5 or later. Patches available for prior supported versions. See the Zephyr security advisory for more information.
Definitive source of threat updates
Last edited: 26 April 2022 2:33 pm