Over two dozen critical Remote Code Execution (RCE) vulnerabilities in Internet of Things (IoT) applications and Operational Technology (OT) industrial systems have been discovered by Microsoft security researchers.
BadAlloc refers to a group of 25 security vulnerabilities triggered by memory allocation Integer Overflow or Wraparound bugs.
Hackers can misuse them to cause device crashes and remotely execute malicious code on IoT and OT systems that are vulnerable.
Microsoft researchers discovered the flaws in standard memory allocation functions that are used in Real-Time Operating Systems (RTOS), C standard library (libc) implementations, and embedded Software Development Kits (SDKs).
Commenting on the development, the Microsoft Security Response Center team said “Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations,”
“Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.”