Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Vulnerabilities in TCP/IP Stacks Allow for TCP Connection Hijacking, Spoofing

Improperly generated ISNs (Initial Sequence Numbers) in nine TCP/IP stacks could be abused to hijack connections to vulnerable devices, according to new research from Forescout.

Improperly generated ISNs (Initial Sequence Numbers) in nine TCP/IP stacks could be abused to hijack connections to vulnerable devices, according to new research from Forescout.

TCP/IP stacks are critical components that provide basic network connectivity for a broad range of devices, IoT and OT included, and which process all incoming frames and packets.

Numerous high-impact vulnerabilities affecting the TCP/IP stacks have already been publicly disclosed, including the Ripple20  and URGENT/11 bugs. In December last year, Forescout’s researchers detailed 33 new vulnerabilities in four open source TCP/IP stacks, collectively called AMNESIA:33.

Diving into 11 stacks this time, the researchers discovered that nine of them fail to properly generate ISNs, thus leaving connections open to attacks. Collectively referred to as NUMBER:JACK, the vulnerabilities affect cycloneTCP, FNET, MPLAB Net, Nucleus NET, Nut/Net, picoTCP, uIP, uC/TCP-IP, and TI-NDKTCPIP (Nanostack and lwIP are not impacted).

ISNs must be randomly generated, so as to ensure the uniqueness of any TCP connection between two devices, and to eliminate collisions and interference with the connection. However, should an attacker be able to guess an ISN, they could hijack an ongoing connection, close a connection (denial of service), or even spoof a new one.

[ Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series ]

Eight of the identified issues carry a CVSS score of 7.5, namely CVE-2020-27213 (Nut/Net 5.1), CVE-2020-27630 (uC/TCP-IP 3.6.0), CVE-2020-27631 (CycloneTCP 1.9.6), CVE-2020-27632 (NDKTCPIP 2.25), CVE-2020-27633 (FNET 4.6.3), CVE-2020-27634 (uIP 1.0, Contiki-OS 3.0, Contiki-NG 4.5), CVE-2020-27635 (PicoTCP 1.7.0, PicoTCP-NG), and CVE-2020-27636 (MPLAB Net 3.6.1), while the ninth has a CVSS score of 6.5 (CVE-2020-28388 – Nucleus NET 4.3).

“However, the actual severity on a particular device and TCP connection may vary depending on, for example, the use of encrypted sessions and the sensitivity of data exchanged,” Forescout’s researchers note.

Advertisement. Scroll to continue reading.

With the vulnerable stacks implemented in millions of embedded devices, including IT storage systems, medical devices, remote terminal units (RTUs), and monitoring systems for wind turbines, among others.

Administrators are advised to identify devices that run the vulnerable TCP/IP stacks (Forescout has released an open-source script to aid with discovery), apply the available patches if possible, apply network segmentation to diminish risks, and use end-to-end cryptographic solutions built on top of the Network layer (IPsec).

The identified vulnerabilities were reported to the affected vendors and maintainers in October last year, and most of them have already released patches to address the bugs, except for Nut/Net developers, who are still working on a solution, and the uIP developers, who never replied to Forescout.

“Unfortunately, this type of vulnerability is also difficult to fix permanently because of the resource constraints of many embedded devices, and what is considered a secure PRNG today may be considered insecure in the future. Some stack developers opt to rely on system integrators to implement their own ISN generation, which is a fair decision, but which means not all devices using a patched stack will be secure automatically,” the researchers conclude.

Related: CISA Issues ICS Advisory for New Vulnerabilities in Treck TCP/IP Stack

Related: Siemens, Schneider Electric Address Serious Vulnerabilities in ICS Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.