CISA Advisory (ICSA-21-119-04)

August 19th, 2021: CyberHoot has received notification of critical risks to our national cybersecurity. A critical vulnerability has been made public by CISA, known as “BadAlloc”. Details of the vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries are available here. CyberHoot is issuing this advisory to provide early notice of the reported vulnerabilities in the hope of assisting our clients in identifying at-risk systems and upgrading/eliminating/remediating the risks quickly and effectively.  Doing so will reduce your risk of these attacks. The vulnerabilities may allow malicious actors to exploit your systems using remote code injection/execution or simply crash your device. 

Affected Systems and Vulnerability

Below are the affected systems from this vulnerability. For more information on the specific vulnerabilities for each tool, go to https://cwe.mitre.org/data/definitions/190.html for more information. 

• Amazon FreeRTOS, Version 10.4.1
• Apache Nuttx OS, Version 9.1.0 
• ARM CMSIS-RTOS2, versions prior to 2.1.3
• ARM Mbed OS, Version 6.3.0
• ARM mbed-ualloc, Version 1.3.0
• BlackBerry QNX SDP Versions 6.5.0 SP1 and earlier
• BlackBerry QNX OS for Safety Versions 1.0.1 and earlier safety products compliant with IEC 61508 and/or ISO 26262
• BlackBerry QNX OS for Medical Versions 1.1 and earlier safety products compliant with IEC 62304
  • A full list of affected QNX products and versions is available here

• Cesanta Software Mongoose OS, v2.17.0
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
• Google Cloud IoT Device SDK, Version 1.0.2
• Media Tek LinkIt SDK, versions prior to 4.6.1
• Micrium OS, Versions 5.10.1 and prior
• Micrium uC/OS: uC/LIB Versions 1.38.xx, Version 1.39.00
• NXP MCUXpresso SDK, versions prior to 2.8.2
• NXP MQX, Versions 5.1 and prior
• Redhat newlib, versions prior to 4.0.0
• RIOT OS, Version 2020.01.1 
• Samsung Tizen RT RTOS, versions prior 3.0.GBB
• TencentOS-tiny, Version 3.1.0
• Texas Instruments CC32XX, versions prior to 4.40.00.07
• Texas Instruments SimpleLink MSP432E4XX
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
• Uclibc-NG, versions prior to 1.0.36 
• Windriver VxWorks, prior to 7.0
• Zephyr Project RTOS, versions prior to 2.5

What Can You Do?

Below are mitigations for this vulnerability on the various systems it affects. The majority of systems have updates/patches available for this potential exploit. CyberHoot recommends you update immediately if you use these tools. 

• Amazon FreeRTOS – Update available
• Apache Nuttx OS Version 9.1.0 – Update available
• ARM CMSIS-RTOS2 – Update in progress, expected in June
• ARM Mbed OS – Update available
• ARM mbed-ualloc – no longer supported and no fix will be issued
• Blackberry QNX 6.5.0SP1 – Update available. See public advisory
• Blackberry QNX OS for Safety 1.0.2 – Update available. See public advisory
• Blackberry QNX OS for Medical 1.1.1 – Update available. See public advisory
• Cesanta Software mongooses – Update available 
• eCosCentric eCosPro RTOS: Update to Versions 4.5.4 and newer – Update available
• Google Cloud IoT Device SDK – Update available
• Media Tek LinkIt SDK – MediaTek will provide the update to users. No fix for the free version, as it is not intended for production use. 
• Micrium OS: Update to v5.10.2 or later – Update available
• Micrium uCOS: uC/LIB Versions 1.38.xx, 1.39.00: Update to v1.39.1 – Update available
• NXP MCUXpresso SDK – Update to 2.9.0 or later 
• NXP MQX –  update to 5.1 or newer
• Redhat newlib – Update available
• RIOT OS – Update available
• Samsung Tizen RT RTOS – Update available
• TencentOS-tiny – Update available
• Texas Instruments CC32XX – Update to v4.40.00.07
• Texas Instruments SimpleLink CC13X0 – Update to v4.10.03
• Texas Instruments SimpleLink CC13X2-CC26X2 – Update to v4.40.00
• Texas Instruments SimpleLink CC2640R2 – Update to v4.40.00
• Texas Instruments SimpleLink MSP432E4 – Confirmed. No update currently planned
• uClibc-ng – Update available
• Windriver VxWorks – Update in progress
• Zephyr Project: Update to 2.5 or later.  Patches are available for prior supported versions. See the Zephyr security advisory for more information.

Sources

Find out how CyberHoot can secure your business.

Schedule a demo