Microsoft finds critical code execution bugs in IoT, OT devices

silversurfer

Level 75
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,457
Microsoft security researchers have discovered over two dozen critical remote code execution (RCE) vulnerabilities in Internet of Things (IoT) devices and Operational Technology (OT) industrial systems.

These 25 security flaws are known collectively as BadAlloc and are caused by memory allocation Integer Overflow or Wraparound bugs.

Threat actors can exploit them to trigger system crashes and execute malicious code remotely on vulnerable IoT and OT systems.

The vulnerabilities were found by Microsoft's researchers in standard memory allocation functions widely used in multiple real-time operating systems (RTOS), C standard library (libc) implementations, and embedded software development kits (SDKs).

"Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations," the Microsoft Security Response Center team said.

"Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device."
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,451
A cybersecurity flaw in a software designed by BlackBerry Ltd (BB.TO) could put at risk cars and medical equipment that use it and expose highly sensitive systems to attackers, the U.S. drugs regulator and a federal agency said on Tuesday. The warning came after the Canadian company disclosed that its QNX Real Time Operating System (QNX RTOS) has a vulnerability that could allow an attacker to execute an arbitrary code or flood a server with traffic until it crashes or gets paralyzed.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the software is used in a wide range of products and its compromise "could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation's critical functions"
BlackBerry had initially denied that the vulnerability, dubbed as BadAlloc, impacted its products and later resisted making a public announcement, Politico reported, citing two people familiar with talks between the company and federal cybersecurity officials, including a government employee.
 
Top