Late last week, Microsoft's IoT security research group put industrial network operators on notice about 25 vulnerabilities in widely used software development kits and C-standard libraries found in embedded devices, industrial control systems, and operational technology networks.
Microsoft nicknames this class of memory allocation vulnerabilities affecting these so-called real-time operating systems, BadAlloc. The reference is to the use of vulnerable memory functions in these embedded systems, including malloc, calloc, realloc, memalign, valloc, pvalloc, and others, Microsoft said.
A threat actor can use these vulnerabilities to bypass existing security controls and run malicious code or crash industrial processes and systems. Microsoft said these memory allocation implementations lack proper input validation, which would hamper an attacker's ability to perform heap overflow attacks and run code of their choice on an industrial IoT device, OT network, or control system.
Microsoft adds that it is not aware of publicly available exploits for these vulnerabilities. ICS-CERT, meanwhile, has published an extensive advisory that includes a list of affected products, versions, and whether updates are available for the respective affected product; many products have been patched, while others are either no longer supported, or updates are forthcoming.
Below is a list of affected products, courtesy of ICS-CERT:
Product | Update |
Amazon FreeRTOS | Update available |
Apache Nuttx OS Version 9.1.0 | Update available |
ARM CMSIS-RTOS2 | Update in progress, expected in June |
ARM Mbed OS | Update available |
ARM mbed-uallaoc | No longer supported, and no fix will be issued. |
Cesanta Software mongooses | Update available |
eCosCentric eCosPro RTOS | Update to Versions 4.5.4 and newer – Update available |
Google Cloud IoT Device SDK | Update available |
Media Tek LinkIt SDK | MediaTek will provide the update to users. No fix for free version, as it is not intended for production use. |
Micrium OS | Update to v5.10.2 or later – Update available |
Micrium uCOS-II/uCOS-III | Update to v1.39.1 – Update not yet released |
NXP MCUXpresso SDK | Update to 2.9.0 or later |
NXP MQX | Update to 5.1 or newer – Update available |
Redhat Newlib | Update available |
RIOT OS | Update available |
Samsung Tizen RT RTOS | Update available |
TencentOS-tiny | Update available |
Texas Instruments CC32XX | Update to v4.40.00.07 |
Texas Instruments SimpleLink CC13X0 | Update to v4.10.03; Update not yet released |
Texas Instruments SimpleLink CC13X2-CC26X2 | Update to v4.40.00; Update not yet released |
Texas Instruments SimpleLink CC2640R2 | Update to v4.40.00; Update not yet released |
Texas Instruments SimpleLink MSP432E4 | Confirmed. No update currently planned. |
uClibc-ng | Update available |
WindRiver VxWorks | Update in progress |
Real-time operating systems (RTOS) are pervasive, not only inside embedded systems, including industrial IoT devices, but also in critical Purdue Model Level 1 and 2 gear such as programmable logic controllers (PLCs), remote terminal units (RTUs), and human machine interfaces (HMIs).
They are so-called because, unlike more conventional operating systems, the scheduler inside a RTOS is predictable, ensuring capabilities are available within a particular time allocation (usually measured in tenths of a second). Embedded systems—including industrial control systems—have such requirements and must be responsive within a defined deadline, otherwise, for example, production systems may fail because a robot would be late in responding.
Most RTOS within PLCs, for example, interpret the ladder logic that programs the controller. In manufacturing environments, PLCs must operate in as close to real time as possible, and the RTOS ensures that functionality; they provide deterministic responses to external events. On the contrary, Windows and UNIX operating systems stay responsive to user inputs.
RTOS's power is in its scheduler, affording operators the ability to prioritize critical processing. RTOS' also have smaller code bases, and because of the way they run are efficient and easier to maintain. Operators have flexibility in choosing from numerous open source RTOS, and many are safety certified, a key consideration in industrial environments.
All of this compounds the seriousness of last week's announced vulnerabilities. The BadAlloc class of integer overflow vulnerabilities are not complicated, yet are severe (CVSS v3 scores of 9.8) and can be attacked remotely. Their existence amplifies several hallmarks of IoT insecurity, that include a lack of modern safeguards for memory allocation overflows.
In industrial environments with substantial legacy software and equipment, this can introduce additional risk for a number of reasons, including an intolerance for the downtime required to update systems, some devices that cannot be reached, or lack an update mechanism altogether. Some organizations may also lack innate security resources and cybersecurity may be a secondary responsibility for an OT network operator, for example. In that case, there could be a lack of awareness and visibility into vulnerabilities within their environment.
ICS-CERT, meanwhile, has published a number of mitigations:
Users should monitor the ICS-CERT advisory for updates from affected vendors. While many have already provided updates, have updates in progress, or no longer support vulnerable RTOS versions that will not be updated.
ICS-CERT advises segmenting control system networks from business networks, and not connecting them directly to the internet.
Control system networks and remote devices should be located behind firewalls.
ICS-CERT also recommends updated VPNs for remote access.
CWE-257: Storing Passwords in a Recoverable Format
RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 5.3
CWE-321: Use of Hard-coded Cryptographic Key
A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 10.0
CWE-259: Use of Hard-coded Password
RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 8.2
CWE-321: Use of Hard-coded Cryptographic Key
RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.8
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.0
