By The Claroty Research Team | May 6, 2021

Late last week, Microsoft’s IoT security research group put industrial network operators on notice about 25 vulnerabilities in widely used software development kits and C-standard libraries found in embedded devices, industrial control systems, and operational technology networks.

Microsoft nicknames this class of memory allocation vulnerabilities affecting these so-called real-time operating systems, BadAlloc. The reference is to the use of vulnerable memory functions in these embedded systems, including malloc, calloc, realloc, memalign, valloc, pvalloc, and others, Microsoft said.

A threat actor can use these vulnerabilities to bypass existing security controls and run malicious code or crash industrial processes and systems. Microsoft said these memory allocation implementations lack proper input validation, which would hamper an attacker’s ability to perform heap overflow attacks and run code of their choice on an industrial IoT device, OT network, or control system.

Microsoft adds that it is not aware of publicly available exploits for these vulnerabilities. ICS-CERT, meanwhile, has published an extensive advisory that includes a list of affected products, versions, and whether updates are available for the respective affected product; many products have been patched, while others are either no longer supported, or updates are forthcoming.

Below is a list of affected products, courtesy of ICS-CERT:

Product

Update

Amazon FreeRTOS
Update available
Apache Nuttx OS Version 9.1.0
Update available
ARM CMSIS-RTOS2
Update in progress, expected in June
ARM Mbed OS
Update available
ARM mbed-uallaoc
No longer supported, and no fix will be issued.
Cesanta Software mongooses
Update available
eCosCentric eCosPro RTOS
Update to Versions 4.5.4 and newer – Update available
Google Cloud IoT Device SDK
Update available
Media Tek LinkIt SDK
MediaTek will provide the update to users. No fix for free version, as it is not intended for production use.
Micrium OS
Update to v5.10.2 or later – Update available
Micrium uCOS-II/uCOS-III
Update to v1.39.1 – Update not yet released
NXP MCUXpresso SDK
Update to 2.9.0 or later
NXP MQX
Update to 5.1 or newer – Update available
Redhat Newlib
Update available
RIOT OS
Update available
Samsung Tizen RT RTOS
Update available
TencentOS-tiny
Update available
Texas Instruments CC32XX
Update to v4.40.00.07
Texas Instruments SimpleLink CC13X0
Update to v4.10.03; Update not yet released
Texas Instruments SimpleLink CC13X2-CC26X2
Update to v4.40.00; Update not yet released
Texas Instruments SimpleLink CC2640R2
Update to v4.40.00; Update not yet released
Texas Instruments SimpleLink MSP432E4
Confirmed. No update currently planned.
uClibc-ng
Update available
WindRiver VxWorks
Update in progress

 

Why Does it Matter to OT?

Real-time operating systems (RTOS) are pervasive, not only inside embedded systems, including industrial IoT devices, but also in critical Purdue Model Level 1 and 2 gear such as programmable logic controllers (PLCs), remote terminal units (RTUs), and human machine interfaces (HMIs).

They are so-called because, unlike more conventional operating systems, the scheduler inside a RTOS is predictable, ensuring capabilities are available within a particular time allocation (usually measured in tenths of a second). Embedded systems—including industrial control systems—have such requirements and must be responsive within a defined deadline, otherwise, for example, production systems may fail because a robot would be late in responding.

Most RTOS within PLCs, for example, interpret the ladder logic that programs the controller. In manufacturing environments, PLCs must operate in as close to real time as possible, and the RTOS ensures that functionality; they provide deterministic responses to external events. On the contrary, Windows and UNIX operating systems stay responsive to user inputs.

RTOS’s power is in its scheduler, affording operators the ability to prioritize critical processing. RTOS’ also have smaller code bases, and because of the way they run are efficient and easier to maintain. Operators have flexibility in choosing from numerous open source RTOS, and many are safety certified, a key consideration in industrial environments.

All of this compounds the seriousness of last week’s announced vulnerabilities. The BadAlloc class of integer overflow vulnerabilities are not complicated, yet are severe (CVSS v3 scores of 9.8) and can be attacked remotely. Their existence amplifies several hallmarks of IoT insecurity, that include a lack of modern safeguards for memory allocation overflows.

In industrial environments with substantial legacy software and equipment, this can introduce additional risk for a number of reasons, including an intolerance for the downtime required to update systems, some devices that cannot be reached, or lack an update mechanism altogether. Some organizations may also lack innate security resources and cybersecurity may be a secondary responsibility for an OT network operator, for example. In that case, there could be a lack of awareness and visibility into vulnerabilities within their environment.

Recommendations

ICS-CERT, meanwhile, has published a number of mitigations:

  • Users should monitor the ICS-CERT advisory for updates from affected vendors. While many have already provided updates, have updates in progress, or no longer support vulnerable RTOS versions that will not be updated.
  • ICS-CERT advises segmenting control system networks from business networks, and not connecting them directly to the internet.
  • Control system networks and remote devices should be located behind firewalls.
  • ICS-CERT also recommends updated VPNs for remote access.