Late last week, Microsoft's IoT security research group put industrial network operators on notice about 25 vulnerabilities in widely used software development kits and C-standard libraries found in embedded devices, industrial control systems, and operational technology networks.
Microsoft nicknames this class of memory allocation vulnerabilities affecting these so-called real-time operating systems, BadAlloc. The reference is to the use of vulnerable memory functions in these embedded systems, including malloc, calloc, realloc, memalign, valloc, pvalloc, and others, Microsoft said.
A threat actor can use these vulnerabilities to bypass existing security controls and run malicious code or crash industrial processes and systems. Microsoft said these memory allocation implementations lack proper input validation, which would hamper an attacker's ability to perform heap overflow attacks and run code of their choice on an industrial IoT device, OT network, or control system.
Microsoft adds that it is not aware of publicly available exploits for these vulnerabilities. ICS-CERT, meanwhile, has published an extensive advisory that includes a list of affected products, versions, and whether updates are available for the respective affected product; many products have been patched, while others are either no longer supported, or updates are forthcoming.
Below is a list of affected products, courtesy of ICS-CERT:
Product | Update |
Amazon FreeRTOS | Update available |
Apache Nuttx OS Version 9.1.0 | Update available |
ARM CMSIS-RTOS2 | Update in progress, expected in June |
ARM Mbed OS | Update available |
ARM mbed-uallaoc | No longer supported, and no fix will be issued. |
Cesanta Software mongooses | Update available |
eCosCentric eCosPro RTOS | Update to Versions 4.5.4 and newer – Update available |
Google Cloud IoT Device SDK | Update available |
Media Tek LinkIt SDK | MediaTek will provide the update to users. No fix for free version, as it is not intended for production use. |
Micrium OS | Update to v5.10.2 or later – Update available |
Micrium uCOS-II/uCOS-III | Update to v1.39.1 – Update not yet released |
NXP MCUXpresso SDK | Update to 2.9.0 or later |
NXP MQX | Update to 5.1 or newer – Update available |
Redhat Newlib | Update available |
RIOT OS | Update available |
Samsung Tizen RT RTOS | Update available |
TencentOS-tiny | Update available |
Texas Instruments CC32XX | Update to v4.40.00.07 |
Texas Instruments SimpleLink CC13X0 | Update to v4.10.03; Update not yet released |
Texas Instruments SimpleLink CC13X2-CC26X2 | Update to v4.40.00; Update not yet released |
Texas Instruments SimpleLink CC2640R2 | Update to v4.40.00; Update not yet released |
Texas Instruments SimpleLink MSP432E4 | Confirmed. No update currently planned. |
uClibc-ng | Update available |
WindRiver VxWorks | Update in progress |
Real-time operating systems (RTOS) are pervasive, not only inside embedded systems, including industrial IoT devices, but also in critical Purdue Model Level 1 and 2 gear such as programmable logic controllers (PLCs), remote terminal units (RTUs), and human machine interfaces (HMIs).
They are so-called because, unlike more conventional operating systems, the scheduler inside a RTOS is predictable, ensuring capabilities are available within a particular time allocation (usually measured in tenths of a second). Embedded systems—including industrial control systems—have such requirements and must be responsive within a defined deadline, otherwise, for example, production systems may fail because a robot would be late in responding.
Most RTOS within PLCs, for example, interpret the ladder logic that programs the controller. In manufacturing environments, PLCs must operate in as close to real time as possible, and the RTOS ensures that functionality; they provide deterministic responses to external events. On the contrary, Windows and UNIX operating systems stay responsive to user inputs.
RTOS's power is in its scheduler, affording operators the ability to prioritize critical processing. RTOS' also have smaller code bases, and because of the way they run are efficient and easier to maintain. Operators have flexibility in choosing from numerous open source RTOS, and many are safety certified, a key consideration in industrial environments.
All of this compounds the seriousness of last week's announced vulnerabilities. The BadAlloc class of integer overflow vulnerabilities are not complicated, yet are severe (CVSS v3 scores of 9.8) and can be attacked remotely. Their existence amplifies several hallmarks of IoT insecurity, that include a lack of modern safeguards for memory allocation overflows.
In industrial environments with substantial legacy software and equipment, this can introduce additional risk for a number of reasons, including an intolerance for the downtime required to update systems, some devices that cannot be reached, or lack an update mechanism altogether. Some organizations may also lack innate security resources and cybersecurity may be a secondary responsibility for an OT network operator, for example. In that case, there could be a lack of awareness and visibility into vulnerabilities within their environment.
ICS-CERT, meanwhile, has published a number of mitigations:
Users should monitor the ICS-CERT advisory for updates from affected vendors. While many have already provided updates, have updates in progress, or no longer support vulnerable RTOS versions that will not be updated.
ICS-CERT advises segmenting control system networks from business networks, and not connecting them directly to the internet.
Control system networks and remote devices should be located behind firewalls.
ICS-CERT also recommends updated VPNs for remote access.
Hardcoded credentials in the Frick Controls Quantum HD create a vulnerability that leads to unauthorized access, exposure of sensitive information, and potential misuse or system compromise.
The Frick Controls Quantum HD, versions 10.22 through 11, are legacy platforms that have reached end of support. Johnson Controls, Inc. recommends upgrading to the latest platform, Quantum HD Unity, version 12 or higher. After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.
CVSS v3: 6.2
The Frick Controls Quantum HD contains a vulnerability that allows an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise.
The Frick Controls Quantum HD, versions 10.22 through 11, are legacy platforms that have reached end of support. Johnson Controls, Inc. recommends upgrading to the latest platform, Quantum HD Unity, version 12 or higher. After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.
CVSS v3: 7.5
The Frick Controls Quantum HD is vulnerable due to insufficient validation of input in certain parameters that may permit unexpected actions, which could impact the security of the device before authentication occurs.
The Frick Controls Quantum HD, versions 10.22 through 11, are legacy platforms that have reached end of support. Johnson Controls, Inc. recommends upgrading to the latest platform, Quantum HD Unity, version 12 or higher. After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.
CVSS v3: 9.1
The Frick Controls Quantum HD is vulnerable due to insufficient validation of input in certain parameters that may permit unexpected actions, which could impact the security of the device before authentication occurs.
The Frick Controls Quantum HD, versions 10.22 through 11, are legacy platforms that have reached end of support. Johnson Controls, Inc. recommends upgrading to the latest platform, Quantum HD Unity, version 12 or higher. After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.
CVSS v3: 9.1
The Frick Controls Quantum HD is vulnerable due to insufficient validation of input in certain parameters that may permit unexpected actions, which could impact the security of the device before authentication occurs.
The Frick Controls Quantum HD, versions 10.22 through 11, are legacy platforms that have reached end of support. Johnson Controls, Inc. recommends upgrading to the latest platform, Quantum HD Unity, version 12 or higher. After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.
CVSS v3: 9.1
