RCE Vulnerabilities in IoT and OT
David Atch, Omri Ben Bassat, and Tamir Ariel from Section 52 of Microsoft’s Azure Defender for IoT research group has detailed a new report, explaining 25 critical vulnerabilities in various IoT and Operational Technology (OT) systems. These are collectively known as BadAlloc, as they’re known to be Wraparound bugs or the memory allocation integer overflow ones. Researchers found these bugs to be available in embedded software development kits (SDKs), several real-time operating systems (RTOS), and C standard library (libs) implementations in their memory allocation functions. And the issue here is defined as improper input validations used by all these devices. This has been happening for years, with vendors failing to adopt proper validation protocols. Researchers warned that a hacker could perform a heap overflow attack to exploit these bugs and execute a malicious code remotely on the target’s device. Thus, they warned users to be aware and patch them immediately. Researchers have shared their findings with the CISA, which has published an advisory containing the URLs to patches for all affected devices as below; Meanwhile, for those devices where the patches are unavailable or delayed, CISA has recommended the following practices for securing themselves;
Locate control system networks and remote devices behind firewalls, and isolate them from the business network. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also, remember that VPN is only as secure as its connected devices.