Friday, April 30, 2021

Reader Comment – Other RTOs Affected?

I had an interesting comment pop up over on LinkedIn about the RTOS advisory I discussed last night. Monty Grindy added:

“Interesting. Didn’t see QNX on that list.”

And he is, of course, correct QNX did not make the list. And, looking at the Wikipedia list of RTOS, there were an awful lot of other RTOS that were not listed. Does this mean that they were not affected? Not sure, but my guess is maybe???

If you read the Microsoft report on BadAlloc you run across some interesting comments. The first that impacts on the above question is:

“The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations [emphasis added]. These findings have been shared with vendors through responsible disclosure led by the Microsoft Security Response Center (MSRC) and the Department of Homeland Security (DHS), enabling these vendors to investigate and patch the vulnerabilities.”

Thus, any RTOS developers that utilized the same SDKs or libc implementations could have ended up with similar vulnerabilities in their RTOS’s. This is not surprising from looking at the NCCIC-ICS advisory. Each of the 23 vulnerabilities listed use similar naming conventions for the affected operation.

Microsoft also noted that:

“These remote code execution (RCE) vulnerabilities cover more than 25 CVEs [emphasis added] and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.”

NCCIC-ICS only reported on 25 CVE’s (VxWorks and FreeRTOS both received two CVE’s). If we take that ‘more than’ statement seriously, and I do not expect that MS used it lightly, then there may be additional RTOS that MS found vulnerabilities in. If those vendors were able to convince MS and NCCIC-ICS that they were still vigorously working on correcting the problems, then NCCIC-ICS may have held off in their disclosure.

Finally, the Wikipedia entry on ‘Realtime Operating Systems’ lists a lot more than 25 entries into the category. I would be very surprised if Microsoft’s Section 52, the Azure Defender for IoT security research group, had enough time or incentive to try to test all of those RTOSs. They certainly made their point with the research that they did do.

I would also be surprised if they found this type of memory allocation vulnerability in all of the RTOS’s that they tested. Certainly, someone was using a different set of tools and libraries to set up their RTOS. It would have been helpful if Microsoft would have provided a list of systems that they tested that were not vulnerable to this particular type of vulnerability.

One final note. I am sure that now that MS has pointed the way to these common vulnerabilities in 25 different operating systems, that other researchers will be looking for other common cause vulnerabilities. Iot and OT cybersecurity is just going to continue to get more and more interesting.

No comments:

/* Use this with templates/template-twocol.html */