Comment from Tenable on BadAlloc flaws
Microsoft disclosed more than 25 critical memory allocation vulnerabilities in OT and IoT devices that could enable an attacker to bypass security controls and execute malicious code or cause a system to crash in industrial, medical, and enterprise networks.
“Vulnerabilities such as the BadAlloc flaws underscore the need for critical infrastructure and manufacturing organisations to have continuous visibility into the devices used in their production environments. It is no longer sufficient to evaluate your risk ‘with a clipboard’ on a periodic basis. When the CISO comes to ask if your organisation is exposed to these latest vulnerabilities, you should have the answer immediately. Not being able to answer that question gives attackers the upper hand.
Since these vulnerabilities are in the Real Time Operating Systems that are the foundation of many OT and IoT devices, the end user may not actually know that they rely on these products. Hopefully, the OT OEM vendor community will evaluate these vulnerabilities and determine if they are a risk in their products. We always advise owners of OT to work with their vendors on how to appropriately mitigate vulnerabilities in critical devices. This case is no different.” — Marty Edwards, VP of OT security, Tenable
