Overview of the BadAlloc Vulnerabilities

Overview of TIR-20210502

This report is an overview of a series of vulnerabilities discovered by Microsoft’s Section 52 research team, which they have labeled “BadAlloc”. More than 25 critical memory allocation vulnerabilities affecting various consumer, industrial, and medical IoT and OT devices have been identified. Successful exploitation of these vulnerabilities may give a malicious actor the ability to inject or execute remote code or cause the system to crash. CISA has posted an advisory that provides an up-to-date list of vulnerabilities, affected products and vendor-supplied patches.

BadAlloc Tactics, Techniques, and Procedures

“BadAlloc” consists of multiple remote code execution (RCE) vulnerabilities that have affected various products including consumer and medical IoT, Industrial IoT, Operational Technology (OT), and industrial control systems. The issue exists in the standard memory allocation functions within real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. Microsoft’s research team found that memory allocation implementations written for IoT devices and embedded software have not been using proper input validations.

The vulnerabilities were observed during the usage of memory functions such as malloc, calloc, realloc, valloc, pvalloc, etc. Memory allocation vulnerabilities may be exploited by calling the memory allocation function with a value large enough to trigger an integer overflow or wraparound. An integer overflow or wraparound can occur when an integer value is too large to store in the associated representation. This may give an attacker the ability to create infinite loops causing the system to crash or trigger buffer overflows which can be used to execute arbitrary code. The CVE's listed below have been given to these vulnerabilities. Any additional BadAlloc vulnerabilities will be listed in the ICS Advisory (ICSA-21-119-04) which can be found on the CISA website (a link to this advisory is listed in the Supporting Documents section of this report).

• CVE-2021-30636 - Media Tek LinkIt SDK versions prior to 4.6.1 is vulnerable to integer overflow in memory allocation calls pvPortCalloc(calloc) and pvPortRealloc(realloc).
• CVE-2021-27431 - Arm CMSIS RTOS2 versions prior to 2.1.3 are vulnerable to integer wrap-around inosRtxMemoryAlloc (local malloc equivalent) function.
• CVE-2021-27433 - Arm mbed-uallaoc memory library Version 1.3.0 is vulnerable to integer wrap-around in function mbed_krbs.
• CVE-2021-27435 - Arm mbed product Version 6.3.0 is vulnerable to integer wrap-around in the malloc_wrapper function.
• CVE-2021-27427 - RIOT OS Versions 2020.01.1 is vulnerable to integer wrap-around in its implementation of calloc function.
• CVE-2021-22684 - Samsung Tizen RT RTOS version 3.0.GBB is vulnerable to integer wrap-around in functions_calloc and mm_zalloc.
• CVE-2021-27439 - TencentOS-tiny Version 3.1.0 is vulnerable to integer wrap-around in function 'tos_mmheap_alloc incorrect calculation of effective memory allocation size. 
• CVE-2021-27425 - Cesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_malloc.
• CVE-2021-26461 - Apache Nuttx OS Version 9.1.0 is vulnerable to integer wrap-around in functions malloc, realloc, and memalign.
• CVE-2020-35198/CVE-2020-28895 - Wind River VxWorks several versions prior to 7.0 firmware is vulnerable to weaknesses found in the following functions: calloc(memLib), mmap/mmap64 (mmanLib), cacheDmaMalloc(cacheLib) and cacheArchDmaMalloc(cacheArchLib).
• CVE-2021-31571/CVE-2021-31572 - Amazon FreeRTOS Version 10.4.1 is vulnerable to integer wrap-around in multiple memory management API functions (MemMang, Queue, StreamBuffer).
• CVE-2021-27417 - eCosCentric eCosPro RTOS Versions 2.0.1 through 4.5.3 are vulnerable to integer wraparound in function calloc (an implementation of malloc).
• CVE-2021-3420 - Redhat newlib versions prior to 4.0.0 are vulnerable to integer wrap-around in malloc and nano-malloc family routines (memalign, valloc, pvalloc, nano_memalign, nano_valloc, nano_pvalloc) due to insufficient checking in memory alignment logic.
• CVE-2021-27411 - Micrium OS Versions 5.10.1 and prior are vulnerable to integer wrap-around in functions Mem_DynPoolCreate, Mem_DynPoolCreateHW and Mem_PoolCreate.
• CVE-2021-26706 - Micrium uCOS-II and uCOS-III Versions 1.39.0 and prior are vulnerable to integer wrap-around in functions Mem_DynPoolCreate, Mem_DynPoolCreateHW, and Mem_PoolCreate.
• CVE-2021-27421 - NXP MCUXpresso SDK versions prior to 2.8.2 are vulnerable to integer overflow in the SDK_Malloc function.
• CVE-2021-22680 - NXP MQX Versions 5.1 and prior are vulnerable to integer overflow in mem_alloc, _lwmem_alloc, and _partition functions. This unverified memory assignment can lead to arbitrary memory allocation.
• CVE-2021-27419 - uClibc-ng versions prior to 1.0.37 are vulnerable to integer wrap-around in functions malloc-simple. This improper memory assignment can lead to arbitrary memory allocation.
• CVE-2021-27429 - Texas Instrument TI-RTOS returns a valid pointer to a small buffer on extremely large values. This can trigger an integer overflow vulnerability in 'HeapTrack_alloc'.
• CVE-2021-22636 - Texas Instrument TI-RTOS returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'malloc'.
• CVE-2021-27504 - Texas Instrument devices running FREERTOS, malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'malloc' for FreeRTOS.
• CVE-2021-27502 - Texas Instrument TI-RTOS, when configured to use HeapMem heap(default), malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'HeapMem_allocUnprotected'.
• Google Cloud IoT Device SDK Version 1.0.2 is vulnerable to heap overflow due to integer overflow in its implementation of calloc.

Affected Products

• Amazon FreeRTOS, Version 10.4.1
• Apache Nuttx OS, Version 9.1.0
• ARM CMSIS-RTOS2, versions prior to 2.1.3
• ARM Mbed OS, Version 6.3.0
• ARM mbed-uallaoc, Version 1.3.0
• Cesanta Software Mongoose OS, v2.17.0
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
• Google Cloud IoT Device SDK, Version 1.0.2
• Linux Zephyr RTOS, versions prior to 2.4.0
• Media Tek LinkIt SDK, versions prior to 4.6.1
• Micrium OS, Versions 5.10.1 and prior
• Micrium uCOS II/uCOS III Versions 1.39.0 and prior
• NXP MCUXpresso SDK, versions prior to 2.8.2
• NXP MQX, Versions 5.1 and prior
• Redhat newlib, versions prior to 4.0.0
• RIOT OS, Version 2020.01.1
• Samsung Tizen RT RTOS, versions prior 3.0.GBB
• TencentOS-tiny, Version 3.1.0
• Texas Instruments CC32XX, versions prior to 4.40.00.07
• Texas Instruments SimpleLink MSP432E4XX
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
• Uclibc-NG, versions prior to 1.0.36
• Windriver VxWorks, prior to 7.0

Business Unit Impact of the BadAlloc Vulnerabilities

• A malicious actor may exploit the memory allocation function to perform a heap overflow which may give them the ability to execute malicious code on the victim's device.
• Exploitation of these vulnerabilities may also cause the system to crash.

Our Recommendations

• Ensure all products are up to date with vendor supplied patches.
• Monitor all devices for anomalous or unauthorized behavior.
• If a device is unable to be patched immediately, it is recommended to reduce or remove exposure of the vulnerable device from the internet.
• Implement network security monitoring to detect behavioral indicators of compromise and incorporate network segmentation to protect critical assets.

Sources

• https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/

Supporting Documentation

• https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04
• https://cwe.mitre.org/data/definitions/190.html

MITRE Mapping(s)

• https://attack.mitre.org/tactics/TA0040/
• https://attack.mitre.org/techniques/T1190/
• https://attack.mitre.org/techniques/T1499/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.