More than 25 critical memory allocation bugs could enable attackers to bypass security controls in industrial, medical, and enterprise devices.

Dark Reading Staff, Dark Reading

April 30, 2021

1 Min Read

Microsoft today disclosed more than 25 critical memory allocation vulnerabilities in Internet of Things (IoT) and operational technology (OT) devices that could enable an attacker to bypass security controls and execute malicious code or cause a system to crash in industrial, medical, and enterprise networks.

These remote code execution (RCE) flaws are collectively dubbed "BadAlloc" and they exist in standard memory allocation functions spanning broadly used real-time operating systems, embedded software development kits, and C standard library implementations. Microsoft has not seen any evidence of the CVEs being exploited but urges organizations to patch quickly.

All of these vulnerabilities stem from the use of vulnerable memory functions including malloc, calloc, realloc, memalign, valloc, pvalloc, and more, the Microsoft Security and Response Center writes in a blog post. Research indicates memory allocation implementations written over the years for IoT devices and embedded software have not included the proper input validations; without these, an attacker can exploit memory allocation to execute code on a target device.

Microsoft has shared its findings with affected vendors and the Department of Homeland Security. The Cybersecurity and Infrastructure Security Agency has published an advisory with a full list of affected products, vulnerability descriptions, and links to patches and mitigations.

Read Microsoft's full blog post for more details.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights