IoT riddled with BadAlloc vulnerabilities

IoT riddled with BadAlloc vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has published advisory ICSA-21-119-04 about vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. Those operating systems and libraries are widely used in smart, Internet-connected “things”. The number of affected devices could be enormous.

As is the fashion these days, the collection of vulnerabilities has been given a name: BadAlloc. CISA has assigned a vulnerability score of 9.8 out of a maximum of 10 for the BadAlloc vulnerabilities and has urged organizations to address these issues as soon as possible.

The vulnerabilities included in BadAlloc

BadAlloc is a large set of remote code execution (RCE) vulnerabilities found by Microsoft’s Section 52:

These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.

Section 52 is Microsoft’s Azure Defender for IoT security research group consisting of IoT/OT/ICS domain experts that reverse-engineer malware, and track ICS-specific zero-days, campaigns, and adversaries.

Where does the name BadAlloc come from?

The researchers found that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.

Heap is the name for a region of a process’ memory which is used to store dynamic variables. If these get written to the wrong place, an attacker could input malicious data, which if it is not validated, could allow an attacker to perform remote code execution, or crash the affected system.

In the programming language C++, bad_alloc is the type of the object thrown as exceptions by the allocation functions to report failure to allocate storage. So, this may have been the inspiration for the name.

Which devices are affected?

This is a long list and some of these, in turn, represent a lot of different devices:

  • Amazon FreeRTOS, Version 10.4.1
  • Apache Nuttx OS, Version 9.1.0 
  • ARM CMSIS-RTOS2, versions prior to 2.1.3
  • ARM Mbed OS, Version 6.3.0
  • ARM mbed-uallaoc, Version 1.3.0
  • Cesanta Software Mongoose OS, v2.17.0
  • eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
  • Google Cloud IoT Device SDK, Version 1.0.2
  • Linux Zephyr RTOS, versions prior to 2.4.0
  • Media Tek LinkIt SDK, versions prior to 4.6.1
  • Micrium OS, Versions 5.10.1 and prior
  • Micrium uCOS II/uCOS III Versions 1.39.0 and prior
  • NXP MCUXpresso SDK, versions prior to 2.8.2
  • NXP MQX, Versions 5.1 and prior
  • Redhat newlib, versions prior to 4.0.0
  • RIOT OS, Version 2020.01.1 
  • Samsung Tizen RT RTOS, versions prior 3.0.GBB
  • TencentOS-tiny, Version 3.1.0
  • Texas Instruments CC32XX, versions prior to
  • Texas Instruments SimpleLink MSP432E4XX
  • Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
  • Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
  • Uclibc-NG, versions prior to 1.0.36 
  • Windriver VxWorks, prior to 7.0

Microsoft worked with all the affected vendors in collaboration with the US Department of Homeland Security (DHS) to coordinate the investigation and release of updates.


For now, we have not seen any indications of these vulnerabilities being exploited, but given the amount of available targets, you can be sure exploits are being sought. Unlike computers, Internet-connected devices can be difficult, or even impossible to update. Because of that, mitigating against these issues could be extremely important for years to come.

In the CISA advisory you can find a list (under 4. Mitigations) which shows the updates that are available. The agency advises users to take the following defensive measures, to minimize the risk of exploitation:

  • Apply available vendor updates.
  • Ensure that affected devices are not accessible from the Internet.
  • Minimize network exposure for all control system devices and/or systems.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • Use secure methods, such as Virtual Private Networks (VPNs), when remote access is required.

Microsoft provides the following mitigation advice:

…we recognize that patching IoT/OT devices can be complex. For devices that cannot be patched immediately, we recommend mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets, as described in the mitigations section at the end of this blog post.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.