Forescout has released its AMNESIA:33 study, a set of 33 memory-corrupting vulnerabilities affecting four open-source TCP/IP stacks: uIP; FNET; picoTCP; and Nut/Net. These open-source stacks are not owned by a single company and are used across multiple codebases, development teams, companies and products. This presents significant challenges to patch management. As a result, Forescout has identified hundreds of vendors and millions of Internet of Things (IoT), Industrial IoT (IIoT), Internet of Medical Things (IoMT), operational technology (OT), and IT devices at risk worldwide.
The TCP/IP stacks affected by AMNESIA:33 can be found in operating systems for embedded devices, systems-on-a-chip, networking equipment, OT devices and a myriad of enterprise and consumer IoT devices such as:
- IoT devices: cameras; environmental sensors (e.g., temperature, humidity); smart lights; smart plugs; barcode readers; specialised printers; retail audio systems; and healthcare devices
- building automation systems: physical access control; fire and smoke alarms; energy meters; batteries; and heating, ventilation and air conditioning (HVAC) systems
- industrial control systems: physical access control; and fire and smoke alarms.
- IT: printers; switches; and wireless access points.
TCP/IP stacks are critical components of all IP-connected devices, including IoT and OT, since they enable basic network communication. A security flaw in a TCP/IP stack can be extremely dangerous because the code in these components may be used to process every incoming network packet that reaches a device. This means that some vulnerabilities in a TCP/IP stack let a device be exploited simply by being connected to a network and powered on.
Many of the vulnerabilities reported within AMNESIA:33 arise from bad software development practices, such as an absence of basic input validation. They relate mostly to memory corruption and can cause denial of service, information leaks or remote code execution.
Four of the vulnerabilities in AMNESIA:33 are critical, with potential for remote code execution on certain devices. Exploiting these vulnerabilities could let an attacker take control of a device, using it as an entry point on a network (for internet-connected devices), as a pivot point for lateral movement, as a persistence point on the target network, or as the final target of an attack. This means enterprise organisations are at increased risk of having their network compromised, or having malicious actors undermining their business continuity.
Greg Clark, CEO, Forescout, said, “Over the last several years, we’ve seen an escalation in attacks leveraging connected devices. What the world is just beginning to understand though is that traditional IT devices represent only the tip of the iceberg when it comes to cyber risk and that the proliferation of unagentable IoT, OT and other connected devices will create a potentially far greater attack surface.
“The nature of vulnerabilities like AMNESIA:33 fundamentally changes our understanding of the risks posed by connected devices. Organisations are only as strong as their weakest link, and executives and boards of directors have a responsibility to understand the full spectrum of the attack surface all the way down to the supply chain level, as they deploy controls to buy-down the risk of network compromise or ensure business continuity.
“Given the widespread nature of these vulnerabilities and the difficulty in remedying them at scale, it is only a matter of time before they are exploited. Organisations must ready themselves before that time comes or else knowingly leave themselves open to attack.”
Steve Hunter, senior director, systems engineering – Asia Pacific & Japan, Forescout, said, “This research highlights that potentially any network-connected device in the world may have inherent vulnerabilities as part of its code that could lead to significant security breaches if those vulnerabilities are weaponised by hackers. Even traditional home devices pose a risk for organisations with the new normal being the distributed workforce. This potentially opens a new access path to corporate assets through home devices that have these types of vulnerabilities.
“The reality is, once hackers realise the potential here and exploits are developed, we will see a spike in attacks on these devices. These types of vulnerabilities are now pervasive across the enterprise and we will continue to find more examples in existing and unpatchable devices as well as in the new devices being added to networks to enable new applications.
“AMNESIA:33 also raises broader questions around due diligence, ethics and a sense of responsibility when it comes to the manufacture and supply of these devices. It’s time for the industry as whole to step in to address these issues and collaborate on a framework or set of standards that will assist with the design and manufacturing of devices to prevent these inherent vulnerabilities being widely accepted and distributed around the globe.”
Due to the complexity of identifying and patching vulnerable devices, vulnerability management for TCP/IP stacks is becoming a challenge for the security community. Forescout recommends adopting solutions that provide granular device visibility and the ability to monitor network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities.
AMNESIA:33 is the first study under Project Memoria, an initiative launched by Forescout Research Labs that aims at providing the community with the largest study on the security of TCP/IP stacks. Project Memoria’s goal is to develop the understanding of common bugs behind the vulnerabilities in TCP/IP stacks, identifying the threats they pose to the extended enterprise, and how to mitigate those.
To download the full report visit here.
