BadAlloc: Critical bugs found in IoT devices and in OT systems

Sicherheit (Pexels, allgemeine Nutzung)[German]Microsoft security researchers have taken a closer look at Internet of Things (IoT) software used in devices and operational technology (OT) industrial systems. In the process, they have come across more than two dozen critical remote code execution vulnerabilities. The implications affect everything from IoT devices to medical devices to industrial systems.


I came across the issue the other day via the following tweet from colleagues at Bleeping Computer, but it has also already been pointed out by security researchers at other companies. 

Here in compact: Microsoft's Azure Defender for IoT security research group, also known as Section 52, recently disclosed a number of critical memory allocation vulnerabilities in IoT and OT devices in this article. These vulnerabilities, collectively known as BadAlloc, can be exploited by attackers to bypass security controls to execute malicious code or cause a system crash.

Microsoft has had more than 25 CVEs issued for these remote code execution (RCE) vulnerabilities. Security researchers write that the vulnerabilities potentially affect a wide range of areas, from consumer and medical IoT to industrial IoT, operational technology (OT) and industrial control systems. Fittingly, I just got a press release on the desk today about Cumulocity IoT for finding pests in containers, silos, etc. using traptice®. I couldn't find out if their software is affected by BadAlloc. But there the search for bugs gets a double meaning.

The vulnerabilities found by Microsoft are in standard memory allocation functions that span widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and implementations of the C standard library (libc). These findings were shared through responsible disclosure led by the Microsoft Security Response Center (MSRC) and the Department of Homeland Security (DHS) for vendors to investigate and patch the vulnerabilities. The DHS ICSA-21-119-04 Multiple RTOS website lists the products from the following list as affected.   


  • Amazon FreeRTOS, Version 10.4.1
  • Apache Nuttx OS, Version 9.1.0 
  • ARM CMSIS-RTOS2, versions prior to 2.1.3
  • ARM Mbed OS, Version 6.3.0
  • ARM mbed-uallaoc, Version 1.3.0
  • Cesanta Software Mongoose OS, v2.17.0
  • eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
  • Google Cloud IoT Device SDK, Version 1.0.2
  • Linux Zephyr RTOS, versions prior to 2.4.0
  • Media Tek LinkIt SDK, versions prior to 4.6.1
  • Micrium OS, Versions 5.10.1 and prior
  • Micrium uCOS II/uCOS III Versions 1.39.0 and prior
  • NXP MCUXpresso SDK, versions prior to 2.8.2
  • NXP MQX, Versions 5.1 and prior
  • Redhat newlib, versions prior to 4.0.0
  • RIOT OS, Version 2020.01.1 
  • Samsung Tizen RT RTOS, versions prior 3.0.GBB
  • TencentOS-tiny, Version 3.1.0
  • Texas Instruments CC32XX, versions prior to
  • Texas Instruments SimpleLink MSP432E4XX
  • Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
  • Uclibc-NG, versions prior to 1.0.36

The document also lists the CVEs as well as available updates from the manufacturers. Details about Microsoft's findings can be read in the article linked above. I received a brief statement from Marty Edwards, Vice President of OT Security at Tenable end of April 2021 in this context, which I am posting here.

Security vulnerabilities like the BadAlloc vulnerabilities underscore the need for critical infrastructure and manufacturing companies to have continuous visibility into the devices used in their production environments. It's no longer enough to manually assess risk at regular intervals. When the CISO comes in and asks if the company is exposed to these latest vulnerabilities, the answer should be immediately at hand. Not being able to answer that question gives attackers the upper hand.

Since these vulnerabilities are in the real-time operating systems that are the foundation of many OT and IoT devices, the end user may not even know they are relying on these products. Hopefully, the OT OEM vendor community will evaluate these vulnerabilities and determine if they pose a risk in their products. We always advise OT device owners to work with their manufacturers to properly mitigate vulnerabilities in critical devices. This case is no different.

In this regard, Tenable points to new findings about the commodity cryptocurrency stealer "WeSteal" and the commodity RAT "WeControl" gained by researchers at Palo Alto Networks:

Unit 42, the research team at Palo Alto Networks, also announces findings about the commodity cryptocurrency stealer "WeSteal." The IT security researchers delve into the obfuscation and techniques WeSteal uses for persistence and operation, and examine who the users of this malware are. Unit 42 also takes a look at WeSupply, whose website shares the same name, and Italian malware coder ComplexCodes, the actual author of this malware.

Just prior to the publication of this report, researchers discovered that the actors had both added some new functionality to WeSteal and added a new commodity remote access tool (RAT) called WeControl. WeControl is similarly designed as a tool for illicit activities and is marketed accordingly.

It seems that for every takedown and prosecution of commodity malware, another one takes its place. Often, the authors of commodity malware perfidiously attempt to give their malware a semblance of legitimacy, a strategy that often fails to hold up in court. The author of WeSteal, a new commodity cryptocurrency stealer, makes no attempt to disguise the intent for its malware. The provider promises "the leading way to make money in 2021."

WeSteal is a commodity malware with a single, illegal function for effectively stealing cryptocurrencies. The low-sophisticated actors who buy and deploy this malware are nothing less than pickpockets on the street, and their crimes are as real as their victims. The quick and easy monetization chain and anonymity of cryptocurrency theft, along with its low cost and ease of use, undoubtedly make this type of crimeware attractive and popular among less skilled cybercriminals. The actor's forensic signature suggests affiliation with a website that sells accounts for services like Netflix and Disney+. Intent is again evident with ComplexCode's Discord-based commodity distributed denial-of-service (DDoS) offering, "Site Killah."

The ease of detection and blocking of command-and-control communications works against ComplexCode's Italian malware author. It is surprising that clients entrust their "victims" to the malware author's potential control. ComplexCodes, for its part, could undoubtedly usurp them at any time and steal the victims' bots or replace the customers' wallets with one of its own. It is also surprising that the malware author would risk prosecution for what is surely a small profit, considering how small its customer base is.

Companies with effective spam filtering, proper system administration and up-to-date Windows hosts have a much lower risk of infection. Palo Alto Networks customers have additional protection from WeSteal and WeControl through Cortex XDR or Next-Generation Firewall with WildFire and Threat Prevention security subscriptions. AutoFocus users can track WeSteal and WeControl activity using the WeSteal and WeControl tags.

Palo Alto Networks has shared its findings, including file patterns and indicators of compromise, with other members of the Cyber Threat Alliance. CTA members use these insights to quickly deploy protections to their customers and systematically disrupt malicious cyber actors. For more information about the Cyber Threat Alliance, click here.

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *