BadAlloc is the name for a related group of RTOS (Real Time Operating System) vulnerabilities that target 25 platforms, with 23 related vulnerabilities. The result of the vulnerability being exploited varies based upon the target device/platform, but can vary from high hardware usage, limiting the operations of said affected device, to device firmware crashes and reboots. The vulnerability exploits a flaw in memory allocation within the device to achieve the above fault.
The error occurs in a range of IoT and ROT devices as well as Blackberry devices used in maritime and other government operations. A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices, and in our review on the dark web, has been linked to malware designed to connect additional CPU power to bitcoin mining.
The issue was discovered in April 2021, but many devices still remain unpatched after the August 17 report at Cert USA. Many of the devices unpatched have mitigation responses that recommend to isolate the unit from the internet or simply take it offline until a patch is released or it is replaced.
Cert USA states:
- Apply available vendor updates.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available.
- Also recognize VPN is only as secure as its connected devices.
We would add:
- Replace the device if possible
- IoT devices with this vulnerability have been linked to exploit attacks for bitcoin malware, and care should be taken to reset the device to factory defaults once secured to be absolutely sure the system is clean.
This discovery has been credited by CISA to David Atch, Omri Ben Bassat, and Tamir Ariel from Microsoft Section 52.
Here is a listing of the affected operating systems and their status:
Amazon FreeRTOS, Version 10.4.1 Update available
Apache Nuttx OS, Version 9.1.0 Update available
ARM CMSIS-RTOS2, versions prior to 2.1.3 Update in progress
ARM Mbed OS, Version 6.3.0 Update available
ARM mbed-ualloc, Version 1.3.0 no longer supported and no fix will be issued
BlackBerry QNX SDP Versions 6.5.0 SP1 and earlier Update available
BlackBerry QNX OS for Safety Versions 1.0.1 and earlier safety products compliant with IEC 61508 and/or ISO 26262 Update available
BlackBerry QNX OS for Medical Versions 1.1 and earlier safety products compliant with IEC 62304 Update available
Cesanta Software Mongoose OS, v2.17.0 Update available
eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 Update available
Google Cloud IoT Device SDK, Version 1.0.2 Update available
Media Tek LinkIt SDK, versions prior to 4.6.1 Vendor will directly provide the fix, fix not available for free users
Micrium OS, Versions 5.10.1 and prior Update available
Micrium uC/OS: uC/LIB Versions 1.38.xx, Version 1.39.00 Update available
NXP MCUXpresso SDK, versions prior to 2.8.2 Update available
NXP MQX, Versions 5.1 and prior Update available
Redhat newlib, versions prior to 4.0.0 Update available
RIOT OS, Version 2020.01.1 Update available
Samsung Tizen RT RTOS, versions prior 3.0.GBB Update available
TencentOS-tiny, Version 3.1.0 Update available
Texas Instruments CC32XX, versions prior to 4.40.00.07 Update available
Texas Instruments SimpleLink MSP432E4XX Update available
Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00 Update available
Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00 Update available
Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 Update available
Texas Instruments SimpleLink MSP432E4 No update currently planned
Uclibc-NG, versions prior to 1.0.36 Update available
Windriver VxWorks, prior to 7.0 Update in progress
Zephyr Project RTOS, versions prior to 2.5 Update available