Use After Free: An IoT Security Issue Modern Workplaces Encounter Unwittingly

Workstations, laptops, and smartphones are no longer the only web-enabled electronic devices in workplaces. The rise of wearables and the Internet of Things has added more gadgets that connect to the internet at home. This has created more conveniences but also introduced new problems.

One of the problems brought about by the reliance on smart web-enabled electronic devices is the expansion of cyber threats. New devices being added to the enterprise network become new attack surfaces. They create more opportunities for threat actors to exploit vulnerabilities and launch attacks.

Things get more complicated with more advanced technologies involved. For example, flaws in IoT solutions serve as leverage for cyber attackers as they gain deep access to operational technology networks.

Use After Free: Common, Unnoticed IoT Security Weakness

When it comes to the use of IoT devices, there is one security issue many tend to be unaware of: the Use After Free weakness. Also known as CWE-416 or Common Weakness Enumeration #416, this security weakness is relatively prevalent, but many device users are oblivious to its existence because of its highly technical nature.

Use After Free is an inherent flaw in software written in C, which is one of the most common programming languages used to write apps for IoT and embedded devices. It happens when a program continues to utilize a memory pointer even when it was already freed. This continued usage of memory is problematic because it creates an opportunity for a threat actor to overwrite one of the pointers with an address to the shellcode. In turn, this allows the execution of arbitrary code.

These usually happen without the knowledge of an IoT device user. It’s an IoT security issue that usually affects large industries, especially those in the healthcare, industrial, and device manufacturing fields. Sometimes, even the IT team may not be aware of it unless there are obvious manifestations, such as the crashing of a program and the harmful execution of arbitrary code. Hence, it is a must to know and understand the problem to be mindful of its possible emergence and to address it before it can cause serious problems.

Unwanted Consequences

If the allocated memory is freed and referenced, an undefined system behavior is created. This usually occurs because of application-level error conditions. It may also happen because the system cannot properly determine which program elements are responsible for the freeing of memory. The modules in a program may not be correctly coordinated or configured.

One of the adverse consequences of the Use After Free issue is the crashing or freezing of a program. A program may crash because it tries to merge invalid data with memory blocks that have previously-freed data. These are incompatible elements an operating system cannot reconcile, creating operational anomalies.

Another unwanted result of the Use After Free error is data corruption. After the memory has been freed, it can be allocated to another pointer, which means the original pointer to the freed memory is re-utilized. This reutilization points to a new location, which is not how proper memory allocation works. This faulty allocation destroys validly used memory and causes an undefined behavior in the process, and corrupts data.

Moreover, the error can lead to the emergence of a write-what-where condition, wherein arbitrary values may be inserted into the freed memory spaces. If this happens, multiple function pointers may be created within heap data. An attacker may then execute arbitrary code if they manage to overwrite a function pointer with an address to shellcode within heap data.

Reported Cases of the Use After Free Security Weakness

CWE-416 is not just some theoretical weakness identified by “overthinking” security analysts. There have been a number of reported cases of it happening. It was not only encountered by small organizations with resource-constrained IT departments and cybersecurity teams. High-profile organizations have experienced it.

In November 2022, the US National Institute of Standards and Technology reported CVE-2022-37332, a Use After Free vulnerability in the JavaScript engine of PDF reader Foxit version 12.0.1.124300. This security weakness made it possible for threat actors to generate a malicious PDF document that can trigger the reutilization of previously freed memory, which can lead to the execution of a harmful code.

A similar issue was also discovered in the Windows Server VPN remote kernel in May 2022. This affected most versions of the Windows Server and Desktop operating systems not newer than Windows Server 2008 and Windows 7. It allowed bad actors to conduct DoS attacks and also initiate remote code execution against a target server.

Even the iPhone operating system was also revealed to have this security weakness. In March 2022, upon the launch of iOS 15.4, security researchers revealed that Apple's latest iOS version (at that time) was exposed to the possibility of arbitrary code execution through kernel privileges. This vulnerability mainly affected GPU drivers.

Additionally, WordPress published in January 2022 a patch for an 'SQL Injection through WP_Query' vulnerability, which is related to the Use After Free security issue. WordPress rated this security concern as highly severe, as it made it possible for SQL injection to happen through WordPress themes and plugins.

Resolving the Weakness

The conventional solution to CWE-416 is security patching. The creators of affected software release software or firmware updates to plug security holes and ensure secure processes. This method of addressing the problem may not be timely enough to prevent aggressive cybercriminals from exploiting vulnerabilities as soon as they spot them.

As such, it is advisable to employ security solutions that can undertake security scans similar to what Runtime Application Self-Protection (RASP) solutions do. A deterministic method of

preventing memory and code manipulation is advisable, as it provides a blanket defense against a wide range of software vulnerabilities.

A solution that is embedded within the code of a program or the firmware of an Iot device performs considerably better and faster in addressing memory-related threats. It scans the software for difficult-to-spot anomalous actions that only become apparent when they are already in the process of causing problems. It can contain a problem even when a security patch is not yet available.

In Conclusion

Use After Free is one of the two major memory allocation-related threats affecting C code. The other one is called Double Free (CWE-415), which happens because of the improper multiple uses of the free() function. Both of which have the potential to cause serious security problems for organizations. What’s reassuring to know is that they are preventable with the right solutions and security strategies.