Microsoft security researchers have disclosed a series of IoT (Internet of Things) vulnerabilities that could be used to bypass security controls to execute malicious code or crash a system. The security flaws are due to memory allocation integer overflow bugs that can be exploited to cause a system to crash and execute malicious code remotely.
According to Microsoft’s Azure Defender research group, Section 52, the flaws affect 25 different products by manufacturers such as Amazon, ARM, Google, Samsung, and many others. Seventeen of these products do have active patches, but the remaining products are no longer supported by the vendor and therefore unlikely to be patched. It is unknown at this stage how many vulnerable IoT devices are exposed.
“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations,” the Microsoft research team stated. “Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.”
Although exploits of these vulnerabilities have not yet shown up in the wild, there is only a small window of opportunity for vendors to patch or isolate vulnerable IoT devices. For devices that cannot be patched immediately, Microsoft advises “mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets.”
With the ever-broadening range of IoT devices emerging, the disclosure of these new vulnerabilities is a stark reminder for organizations to ensure that all IoT devices are included in patch management and security monitoring.
Products affected are:
- Amazon FreeRTOS, Version 10.4.1
- Apache Nuttx OS, Version 9.1.0
- ARM CMSIS-RTOS2, versions prior to 2.1.3
- ARM Mbed OS, Version 6.3.0
- ARM mbed-uallaoc, Version 1.3.0
- Cesanta Software Mongoose OS, v2.17.0
- eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
- Google Cloud IoT Device SDK, Version 1.0.2
- Linux Zephyr RTOS, versions prior to 2.4.0
- Media Tek LinkIt SDK, versions prior to 4.6.1
- Micrium OS, Versions 5.10.1 and prior
- Micrium uCOS II/uCOS III Versions 1.39.0 and prior
- NXP MCUXpresso SDK, versions prior to 2.8.2
- NXP MQX, Versions 5.1 and prior
- Redhat newlib, versions prior to 4.0.0
- RIOT OS, Version 2020.01.1
- Samsung Tizen RT RTOS, versions prior 3.0.GBB
- TencentOS-tiny, Version 3.1.0
- Texas Instruments CC32XX, versions prior to 4.40.00.07
- Texas Instruments SimpleLink MSP432E4XX
- Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
- Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
- Uclibc-NG, versions prior to 1.0.36
- Windriver VxWorks, prior to 7.0
About Microsoft's Section 52
Microsoft’s Section 52 is the security research group for Azure Defender for IoT. The group is comprised of security researchers and data scientists with deep domain expertise in IoT/OT threat hunting, malware reverse engineering, incident response, and data analysis. The group also provides ongoing threat intelligence updates to Azure Defender for IoT, enabling detection and mitigation of the most recent IoT/OT vulnerabilities and threats.