Late last week, Microsoft's IoT security research group put industrial network operators on notice about 25 vulnerabilities in widely used software development kits and C-standard libraries found in embedded devices, industrial control systems, and operational technology networks.
Microsoft nicknames this class of memory allocation vulnerabilities affecting these so-called real-time operating systems, BadAlloc. The reference is to the use of vulnerable memory functions in these embedded systems, including malloc, calloc, realloc, memalign, valloc, pvalloc, and others, Microsoft said.
A threat actor can use these vulnerabilities to bypass existing security controls and run malicious code or crash industrial processes and systems. Microsoft said these memory allocation implementations lack proper input validation, which would hamper an attacker's ability to perform heap overflow attacks and run code of their choice on an industrial IoT device, OT network, or control system.
Microsoft adds that it is not aware of publicly available exploits for these vulnerabilities. ICS-CERT, meanwhile, has published an extensive advisory that includes a list of affected products, versions, and whether updates are available for the respective affected product; many products have been patched, while others are either no longer supported, or updates are forthcoming.
Below is a list of affected products, courtesy of ICS-CERT:
Product | Update |
Amazon FreeRTOS | Update available |
Apache Nuttx OS Version 9.1.0 | Update available |
ARM CMSIS-RTOS2 | Update in progress, expected in June |
ARM Mbed OS | Update available |
ARM mbed-uallaoc | No longer supported, and no fix will be issued. |
Cesanta Software mongooses | Update available |
eCosCentric eCosPro RTOS | Update to Versions 4.5.4 and newer – Update available |
Google Cloud IoT Device SDK | Update available |
Media Tek LinkIt SDK | MediaTek will provide the update to users. No fix for free version, as it is not intended for production use. |
Micrium OS | Update to v5.10.2 or later – Update available |
Micrium uCOS-II/uCOS-III | Update to v1.39.1 – Update not yet released |
NXP MCUXpresso SDK | Update to 2.9.0 or later |
NXP MQX | Update to 5.1 or newer – Update available |
Redhat Newlib | Update available |
RIOT OS | Update available |
Samsung Tizen RT RTOS | Update available |
TencentOS-tiny | Update available |
Texas Instruments CC32XX | Update to v4.40.00.07 |
Texas Instruments SimpleLink CC13X0 | Update to v4.10.03; Update not yet released |
Texas Instruments SimpleLink CC13X2-CC26X2 | Update to v4.40.00; Update not yet released |
Texas Instruments SimpleLink CC2640R2 | Update to v4.40.00; Update not yet released |
Texas Instruments SimpleLink MSP432E4 | Confirmed. No update currently planned. |
uClibc-ng | Update available |
WindRiver VxWorks | Update in progress |
Real-time operating systems (RTOS) are pervasive, not only inside embedded systems, including industrial IoT devices, but also in critical Purdue Model Level 1 and 2 gear such as programmable logic controllers (PLCs), remote terminal units (RTUs), and human machine interfaces (HMIs).
They are so-called because, unlike more conventional operating systems, the scheduler inside a RTOS is predictable, ensuring capabilities are available within a particular time allocation (usually measured in tenths of a second). Embedded systems—including industrial control systems—have such requirements and must be responsive within a defined deadline, otherwise, for example, production systems may fail because a robot would be late in responding.
Most RTOS within PLCs, for example, interpret the ladder logic that programs the controller. In manufacturing environments, PLCs must operate in as close to real time as possible, and the RTOS ensures that functionality; they provide deterministic responses to external events. On the contrary, Windows and UNIX operating systems stay responsive to user inputs.
RTOS's power is in its scheduler, affording operators the ability to prioritize critical processing. RTOS' also have smaller code bases, and because of the way they run are efficient and easier to maintain. Operators have flexibility in choosing from numerous open source RTOS, and many are safety certified, a key consideration in industrial environments.
All of this compounds the seriousness of last week's announced vulnerabilities. The BadAlloc class of integer overflow vulnerabilities are not complicated, yet are severe (CVSS v3 scores of 9.8) and can be attacked remotely. Their existence amplifies several hallmarks of IoT insecurity, that include a lack of modern safeguards for memory allocation overflows.
In industrial environments with substantial legacy software and equipment, this can introduce additional risk for a number of reasons, including an intolerance for the downtime required to update systems, some devices that cannot be reached, or lack an update mechanism altogether. Some organizations may also lack innate security resources and cybersecurity may be a secondary responsibility for an OT network operator, for example. In that case, there could be a lack of awareness and visibility into vulnerabilities within their environment.
ICS-CERT, meanwhile, has published a number of mitigations:
Users should monitor the ICS-CERT advisory for updates from affected vendors. While many have already provided updates, have updates in progress, or no longer support vulnerable RTOS versions that will not be updated.
ICS-CERT advises segmenting control system networks from business networks, and not connecting them directly to the internet.
Control system networks and remote devices should be located behind firewalls.
ICS-CERT also recommends updated VPNs for remote access.
CWE-191 INTEGER UNDERFLOW (WRAP OR WRAPAROUND):
The affected product is vulnerable to an integer underflow. An unauthenticated attacker could send a malformed HTTP Requesty, which could allow the attacker to crash the program.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 5.3
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION'):
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 9.8
CWE-121 STACK-BASED BUFFER OVERFLOW:
The affected product is vulnerable to a stack-based buffer overflow. An unauthenticated attacker could send a malicious HTTP request that the webserver fails to properly check input size before copying data to the stack, potentially allowing remote code execution.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 9.8
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor:
Ruijie Reyee OS versions prior to 2.260.0.1329 contains a a feature that could enable sub accounts
or attackers attackers to view and exfiltrate sensitive information from all cloud accounts registered to Ruijie's services.
CVSS v3: 6.5
CWE-1391 Use of Weak Credentials:
Ruijie Reyee OS versions prior to 2.260.0.1329 uses weak credential mechanism that could allow
an attacker to easily calculate MQTT credentials.
Ruijie reports that the issues have been fixed on the cloud and no action is needed by end users.
CVSS v3: 7.5
