Coming Soon...

Q-CERT website is currently under maintenance. We should be back shortly. Thank you for yor patience.

“BadAlloc” Multiple Vulnerabilities in IoT/OT Devices

Issued: 
Tuesday, 4 May, 2021
Last Revision: 
Tuesday, 4 May, 2021
Vendor: 
Multiple
Product: 
Multiple
Severity Level: 
High
Summary: 

A critical set of vulnerabilities known as "BadAlloc" have been identified affecting multiple Real Time Operating System (RTOS), Embedded Software Development Kit and libraries. The vulnerabilities have been categorized as Integer Overflow or Wraparound, and the impact can be Remote Code Execution (RCE) or Denial of Service (DoS) if such vulnerability exploited. The affected RTOS/Libraries are mostly known used in Internet of Things (IoT) and Operational Technology (OT) devices.

 

Affected products:

  • Amazon FreeRTOS, Version 10.4.1 (CVE-2021-31571 and CVE-2021-31572)
  • Apache Nuttx OS, Version 9.1.0 (CVE-2021-26461)
  • ARM CMSIS-RTOS2, versions prior to 2.1.3 (CVE-2021-27431)
  • ARM Mbed OS, Version 6.3.0
  • ARM mbed-uallaoc, Version 1.3.0 (CVE-2021-27433)
  • Cesanta Software Mongoose OS, v2.17.0 (CVE-2021-27425)
  • eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 (CVE-2021-27417)
  • Google Cloud IoT Device SDK, Version 1.0.2
  • Linux Zephyr RTOS, versions prior to 2.4.0
  • Media Tek LinkIt SDK, versions prior to 4.6.1 (CVE-2021-30636)
  • Micrium OS, Versions 5.10.1 and prior (CVE-2021-27411)
  • Micrium uCOS II/uCOS III Versions 1.39.0 and prior (CVE-2021-26706)
  • NXP MCUXpresso SDK, versions prior to 2.8.2 (CVE-2021-27421)
  • NXP MQX, Versions 5.1 and prior (CVE-2021-22680)
  • Redhat newlib, versions prior to 4.0.0 (CVE-2021-27411)
  • RIOT OS, Version 2020.01.1 (CVE-2021-27427)
  • Samsung Tizen RT RTOS, versions prior 3.0.GBB (CVE-2021-22684)
  • TencentOS-tiny, Version 3.1.0 (CVE-2021-27439)
  • Texas Instruments CC32XX, versions prior to 4.40.00.07(CVE-2021-22677, CVE-2021-22673, CVE-2021-22675 and CVE-2021-22679 )
  • Texas Instruments SimpleLink MSP432E4XX (CVE-2021-27502, CVE-2021-27504, CVE-2021-22636 and CVE-2021-27429)
  • Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00(CVE-2021-27502, CVE-2021-27504, CVE-2021-22636 and CVE-2021-27429)
  • Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00(CVE-2021-27502, CVE-2021-27504, CVE-2021-22636 and CVE-2021-27429)
  • Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 (CVE-2021-27502, CVE-2021-27504, CVE-2021-22636 and CVE-2021-27429)
  • Uclibc-NG, versions prior to 1.0.36 (CVE-2021-27419)
  • Windriver VxWorks, prior to 7.0 (CVE-2020-35198, CVE-2020-28895)
Recommendation: 

We recommend minimizing risk for those such IoT/OT systems:

  1. Apply latest vendor patch that mitigate these vulnerabilities

  2. Eliminate any external exposure to the internet for those devices, Inbound or Outbound by configuring firewall rules.

  3. If needed for Remote Access use VPN to access such devices behind a secure firewall.

 

Available patches:

 

No patch avalabile:

  • ARM CMSIS-RTOS2 – Update in progress
  • ARM mbed-uallaoc – Obsolete system no support or patch avalabile
  • Media Tek LinkIt SDK – MediaTek will provide the update to users. Not supposed to be used in production
  • Texas Instruments SimpleLink MSP432E4 – No update planned SimpleLink™  MSP432E4 Integer Overflow Issues (ti.com)
  • Windriver VxWorks – not patched VxWorks 6.9 (CVE-2020-28895)
References: 
“BadAlloc” – Memory allocation vulnerabilities could affect wide range of IoT and OT devices in industrial, medical, and enterprise networks
CISA ICS Advisory (ICSA-21-119-04)
Center for Internet Security - 2021-058