Security News > 2021 > April > BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw

Microsoft has taken a look at memory management code used in a wide range of equipment, from industrial control systems to healthcare gear, and found it can be potentially exploited to hijack devices.

Drilling down to the nitty-gritty: Microsoft's Azure Defender for IoT security research group looked at memory allocation functions, such as malloc(), provided by real-time operating systems, standard C libraries, and software development kits all aimed at embedded electronics: that's Internet-of-Things devices, industrial control systems, and so-called operational technology.

The team found a programming blunder common among much of the software: integer overflows during heap memory allocation.

The trouble is that a vulnerable memory allocator could take that large size - eg, 0xffffffff on a 32-bit embedded system - and add something like 8 to it because the requested memory block needs eight bytes of metadata to describe it.

It would be nice if application code trapped oversize allocations, but in any case, Microsoft found OS and library-level code let it all sail through, too, due to the overflows.

"At the same time, we recognize that patching IoT/OT devices can be complex. For devices that cannot be patched immediately, we recommend mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/29/microsoft_badalloc_iot/