Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



BadAlloc: Microsoft Flags Major Security Holes in OT, IoT Devices

Security researchers at Microsoft are raising the alarm for multiple gaping security holes in a wide range of enterprise internet-connected devices, warning that the high-risk bugs expose  businesses to remote code execution attacks.

Security researchers at Microsoft are raising the alarm for multiple gaping security holes in a wide range of enterprise internet-connected devices, warning that the high-risk bugs expose  businesses to remote code execution attacks.

According to an advisory from Redmond’s Azure Defender for IoT security research group, there are at least 25 documented vulnerabilities (CVEs) affecting a wide range of IoT and operational technology (OT) devices the industrial, medical, and enterprise networks.

Microsoft is calling the family of vulnerabilities “BadAlloc“.

“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device,” Microsoft explained.

[Adversaries] could exploit to bypass security controls in order to execute malicious code or cause a system crash, Microsoft warned.  

A separate advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provides a list of affected devices and information on applying available security patches.

According to Microsoft, the vulnerabilities exist in standard memory allocation functions spanning widely used real-time  operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.  

Learn More About OT Security at SecurityWeek’s ICS Cyber Security Conference

Advertisement. Scroll to continue reading.
Microsoft said it worked closely with all the affected vendors in collaboration with the U.S. Department of Homeland Security (DHS) to coordinate the investigation and release of updates.

The list of affected products include IOT/OT devices sold by Amazon, ARM, Cesanta, Google Cloud, Samsung, Texas Instruments and Tencent.  US-CERT says various open-source products are also affected.

“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent  a significant potential risk for organizations of all kinds. To date, Microsoft has not seen any indications of these vulnerabilities being exploited. However, we strongly encourage organizations to patch their  systems as soon as possible,” the company said. 

Microsoft recommends that organizations apply mitigating controls to reduce attack surface, including implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets. 

David Atch, Omri Ben Bassat, and Tamir Ariel from Microsoft were credited for reporting the vulnerabilities to CISA. 

The list of impacted products, according to CISA’s alert, includes:

Amazon FreeRTOS, Version 10.4.1

Apache Nuttx OS, Version 9.1.0 

ARM CMSIS-RTOS2, versions prior to 2.1.3

ARM Mbed OS, Version 6.3.0

ARM mbed-uallaoc, Version 1.3.0

Cesanta Software Mongoose OS, v2.17.0

eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3

Google Cloud IoT Device SDK, Version 1.0.2

Linux Zephyr RTOS, versions prior to 2.4.0

Media Tek LinkIt SDK, versions prior to 4.6.1

Micrium OS, Versions 5.10.1 and prior

Micrium uCOS II/uCOS III Versions 1.39.0 and prior

NXP MCUXpresso SDK, versions prior to 2.8.2

NXP MQX, Versions 5.1 and prior

Redhat newlib, versions prior to 4.0.0

RIOT OS, Version 2020.01.1 

Samsung Tizen RT RTOS, versions prior 3.0.GBB

TencentOS-tiny, Version 3.1.0

Texas Instruments CC32XX, versions prior to

Texas Instruments SimpleLink MSP432E4XX

Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00

Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00

Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03

Uclibc-NG, versions prior to 1.0.36 

Windriver VxWorks, prior to 7.0

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...