Discovered by the company's security research group for物联网的Azure Defender(known as "Section 52"), the remote code execution (RCE) vulnerabilities cover more than 25 Common Vulnerabilities and Exposures (CVEs) and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology, and industrial control systems. The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOSs), embedded software development kits (SDKs), and C standard library (libc) implementations.
The findings, says the company, have been shared with vendors through responsible disclosure led by the Microsoft Security Response Center (MSRC) and the Department of Homeland Security (DHS), enabling these vendors to investigate and patch the vulnerabilities.
该公司说:“考虑到物联网和OT设备的普遍性,这些漏洞(即使成功)代表了各种组织的重大潜在风险。”“迄今为止,微软尚未看到任何被利用这些漏洞的迹象。但是,我们强烈鼓励组织尽快修补其系统。”
“ Badalloc”是公司第52节分配给在嵌入式物联网和OT操作系统和软件中发现的漏洞家族的名称,以描述此类内存溢出漏洞。所有这些漏洞源于脆弱的内存功能,例如malloc,calloc,realloc,memalign,valloc,pvalloc等。
The company says its research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.
可以通过调用内存分配函数(例如malloc(value))来调用内存分配漏洞,并从外部输入中动态派生的值参数,并且足够大以触发整数溢出或环绕。概念如下: