Millions of connected devices from over 150 vendors are affected by tens of vulnerabilities found in open source TCP/IP stacks, enterprise IoT security company Forescout revealed this week.
Enabling basic network connection in a wide range of devices, including IoT and OT devices, TCP/IP stacks are critical components that process all incoming frames and packets.
Vulnerabilities in these stacks tend to have wide impact. The Ripple20 flaws disclosed earlier this year and the URGENT/11 bugs made public in 2019 were revealed to render millions of devices vulnerable to remote attacks.
A total of 33 new vulnerabilities were found in four open source TCP/IP stacks, namely uIP, PicoTCP, FNET, and Nut/Net. Collectively referred to as AMNESIA:33 and rooted on memory corruptions, the bugs expose devices to remote code execution, information disclosure, denial of service, and DNS cache poisoning.
Attackers able to exploit these vulnerabilities could take full control of affected devices and then abuse them to move laterally within the environment, or to maintain persistent access to the target network.
Because the affected open source TCP/IP stacks are used in a variety of devices from multiple vendors, numerous organizations are affected, with those in the government, healthcare, services, manufacturing, financial, retail, and technology sectors being impacted the most.
“The widespread nature of these vulnerabilities means that many organizations around the world may be affected by AMNESIA:33. Organizations that fail to mitigate this risk are leaving open doors for attackers in IT, OT, and IoT devices across their organization,” Forescout notes.
A total of seven open source TCP/IP stacks were taken into consideration for this analysis and vulnerabilities were found in four of them only, but that doesn’t mean that the rest are not affected by yet unknown flaws, Forescout’s security researchers point out.
The AMNESIA:33 flaws impact seven components of the stacks, namely DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS. Most of the flaws have been assigned severity ratings of high. Two of the bugs only impact 6LoWPAN wireless devices.
Of the 33 newly identified vulnerabilities, four were assessed as critical severity, leading to remote code execution. Three of them feature a CVSS score of 9.8 (CVE-2020-24336, CVE-2020-24338, and CVE-2020-25111).
Most of the security bugs are the result of insufficient validation of input or the lack of checks, either allowing an attacker to corrupt memory or to cause an infinite loop. Thus, most of these vulnerabilities lead to denial of service.
The components that were found to be affected the most are the DNS, TCP, and IPv4/IPv6 sub-stacks, with DHCP, ICMP/ICMPv6, ARP, and others impacted as well.
“DNS appears to be a vulnerability-prone component because it is a complex, feature-rich protocol, different from many other components in the stack. Indeed, the DNS component is a client that usually communicates with a few standard servers rather than a server that communicates with many other clients; this may lead to errors in the implementations,” Forescout notes.
Out-of-bounds read is the most common type of vulnerability in the AMNESIA:33 pack, followed by integer overflow and out-of-bounds write. State confusion, NULL-pointer dereference, and division by zero bugs were also discovered.
The security researchers also note that exploitability of vulnerabilities in embedded systems is typically easy, due to the lack of exploit mitigations and memory protection in these devices. However, exploitability is different on each device, influenced by stack configuration, the networking hardware and driver, and the target platform.
“It is crucial to keep in mind that a device that uses a particular IP stack will not automatically be exploited. Even when a vulnerability on a device can be exploited, the impact of a vulnerability varies greatly,” the researchers underline, adding that the real impact of these vulnerabilities is contextual.
However, because components running the vulnerable stacks can be found on a variety of systems, including MCUs, SoCs, connectivity modules, OEM boards, consumer IoT, networking and office equipment, access control devices, IP cameras, and more, the impact of AMNESIA:33 flaws is broad, especially since the affected stacks are open source and not owned by a single company.
“The risk is that these vulnerabilities can spread easily and silently across multiple codebases, development teams, companies and products since these stacks form the basis of other software, operating systems, SoCs, embedded modules and development boards used to create a multitude of devices,” Forescout points out.
The security researchers estimate that at least 150 vendors are affected and believe that at least millions of vulnerable devices are in the wild at the moment. They also note that government and healthcare organizations are impacted the most, with services, manufacturing, and financial verticals rounding up top five.
Following Forescout’s report, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to raise awareness on the existence of these vulnerabilities and identify mitigations meant to reduce the risks associated with them.