Microsoft has taken a look at memory management code used in a wide range of equipment, from industrial control systems to healthcare gear, and found it can be potentially exploited to hijack devices.
Drilling down to the nitty-gritty: Microsoft’s Azure Defender for IoT security research group looked at memory allocation functions, such as
malloc(), provided by real-time operating systems, standard C libraries, and software development kits all aimed at embedded electronics: that’s Internet-of-Things (IoT) devices, industrial control systems, and so-called operational technology (OT).
The team found a programming blunder common among much of the software: integer overflows during heap memory allocation. This occurs when an attacker is able to, usually via malicious data inputs, trick application code into making a very large memory allocation for a buffer to hold further incoming information.
The trouble is that a vulnerable memory allocator could take that large size – eg,
0xffffffffon a 32-bit embedded system – and add something like 8 to it because the requested memory block needs eight bytes of metadata to describe it. The size then overflows to 7 and the allocator finds space in memory that’s seven bytes in size for the requested buffer.
The allocator returns a pointer to that small space to the application, which assumes the allocation succeeded for the huge request, and then copies way more than seven bytes of data into the buffer from the attacker. This causes the application to overwrite the memory allocation metadata, structures, and contents. Now the attacker who sent over the data can take full control of the system by overwriting function pointers or altering other values.
The allocations should fail due to the large sizes, but the integer overflow allows them to partially succeed and in a way that’s exploitable. To pull this off, an attacker would need to be able to feed data to the application – either as a file or network traffic or whatever – that causes it to allocate a huge block of heap memory. It would be nice if application code trapped oversize allocations, but in any case, Microsoft found OS and library-level code let it all sail through, too, due to the overflows.
For devices that cannot be patched immediately, we recommend mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets.”
What is affected? Good question. The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has a summary here.
its advisory here