Microsoft today disclosed more than 25 critical memory allocation vulnerabilities in Internet of Things (IoT) and operational technology (OT) devices that could enable an attacker to bypass security controls and execute malicious code or cause a system to crash in industrial, medical, and enterprise networks.
These remote code execution (RCE) flaws are collectively dubbed "BadAlloc" and they exist in standard memory allocation functions spanning broadly used real-time operating systems, embedded software development kits, and C standard library implementations. Microsoft has not seen any evidence of the CVEs being exploited but urges organizations to patch quickly.
All of these vulnerabilities stem from the use of vulnerable memory functions including malloc, calloc, realloc, memalign, valloc, pvalloc, and more, the Microsoft Security and Response Center writes in a blog post. Research indicates memory allocation implementations written over the years for IoT devices and embedded software have not included the proper input validations; without these, an attacker can exploit memory allocation to execute code on a target device.
Microsoft has shared its findings with affected vendors and the Department of Homeland Security. The Cybersecurity and Infrastructure Security Agency has published an advisory with a full list of affected products, vulnerability descriptions, and links to patches and mitigations.
Read Microsoft's full blog post for more details.