Improperly generated ISNs (Initial Sequence Numbers) in nine TCP/IP stacks could be abused to hijack connections to vulnerable devices, according to new research from Forescout.
TCP/IP stacks are critical components that provide basic network connectivity for a broad range of devices, IoT and OT included, and which process all incoming frames and packets.
Numerous high-impact vulnerabilities affecting the TCP/IP stacks have already been publicly disclosed, including the Ripple20 and URGENT/11 bugs. In December last year, Forescout’s researchers detailed 33 new vulnerabilities in four open source TCP/IP stacks, collectively called AMNESIA:33.
Diving into 11 stacks this time, the researchers discovered that nine of them fail to properly generate ISNs, thus leaving connections open to attacks. Collectively referred to as NUMBER:JACK, the vulnerabilities affect cycloneTCP, FNET, MPLAB Net, Nucleus NET, Nut/Net, picoTCP, uIP, uC/TCP-IP, and TI-NDKTCPIP (Nanostack and lwIP are not impacted).
ISNs must be randomly generated, so as to ensure the uniqueness of any TCP connection between two devices, and to eliminate collisions and interference with the connection. However, should an attacker be able to guess an ISN, they could hijack an ongoing connection, close a connection (denial of service), or even spoof a new one.
[ Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series ]
Eight of the identified issues carry a CVSS score of 7.5, namely CVE-2020-27213 (Nut/Net 5.1), CVE-2020-27630 (uC/TCP-IP 3.6.0), CVE-2020-27631 (CycloneTCP 1.9.6), CVE-2020-27632 (NDKTCPIP 2.25), CVE-2020-27633 (FNET 4.6.3), CVE-2020-27634 (uIP 1.0, Contiki-OS 3.0, Contiki-NG 4.5), CVE-2020-27635 (PicoTCP 1.7.0, PicoTCP-NG), and CVE-2020-27636 (MPLAB Net 3.6.1), while the ninth has a CVSS score of 6.5 (CVE-2020-28388 – Nucleus NET 4.3).
“However, the actual severity on a particular device and TCP connection may vary depending on, for example, the use of encrypted sessions and the sensitivity of data exchanged,” Forescout’s researchers note.
With the vulnerable stacks implemented in millions of embedded devices, including IT storage systems, medical devices, remote terminal units (RTUs), and monitoring systems for wind turbines, among others.
Administrators are advised to identify devices that run the vulnerable TCP/IP stacks (Forescout has released an open-source script to aid with discovery), apply the available patches if possible, apply network segmentation to diminish risks, and use end-to-end cryptographic solutions built on top of the Network layer (IPsec).
The identified vulnerabilities were reported to the affected vendors and maintainers in October last year, and most of them have already released patches to address the bugs, except for Nut/Net developers, who are still working on a solution, and the uIP developers, who never replied to Forescout.
“Unfortunately, this type of vulnerability is also difficult to fix permanently because of the resource constraints of many embedded devices, and what is considered a secure PRNG today may be considered insecure in the future. Some stack developers opt to rely on system integrators to implement their own ISN generation, which is a fair decision, but which means not all devices using a patched stack will be secure automatically,” the researchers conclude.
Related: CISA Issues ICS Advisory for New Vulnerabilities in Treck TCP/IP Stack
Related: Siemens, Schneider Electric Address Serious Vulnerabilities in ICS Products

More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
