Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Vulnerabilities in TCP/IP Stacks Allow for TCP Connection Hijacking, Spoofing

Improperly generated ISNs (Initial Sequence Numbers) in nine TCP/IP stacks could be abused to hijack connections to vulnerable devices, according to new research from Forescout.

Improperly generated ISNs (Initial Sequence Numbers) in nine TCP/IP stacks could be abused to hijack connections to vulnerable devices, according to new research from Forescout.

TCP/IP stacks are critical components that provide basic network connectivity for a broad range of devices, IoT and OT included, and which process all incoming frames and packets.

Numerous high-impact vulnerabilities affecting the TCP/IP stacks have already been publicly disclosed, including the Ripple20  and URGENT/11 bugs. In December last year, Forescout’s researchers detailed 33 new vulnerabilities in four open source TCP/IP stacks, collectively called AMNESIA:33.

Diving into 11 stacks this time, the researchers discovered that nine of them fail to properly generate ISNs, thus leaving connections open to attacks. Collectively referred to as NUMBER:JACK, the vulnerabilities affect cycloneTCP, FNET, MPLAB Net, Nucleus NET, Nut/Net, picoTCP, uIP, uC/TCP-IP, and TI-NDKTCPIP (Nanostack and lwIP are not impacted).

ISNs must be randomly generated, so as to ensure the uniqueness of any TCP connection between two devices, and to eliminate collisions and interference with the connection. However, should an attacker be able to guess an ISN, they could hijack an ongoing connection, close a connection (denial of service), or even spoof a new one.

[ Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series ]

Eight of the identified issues carry a CVSS score of 7.5, namely CVE-2020-27213 (Nut/Net 5.1), CVE-2020-27630 (uC/TCP-IP 3.6.0), CVE-2020-27631 (CycloneTCP 1.9.6), CVE-2020-27632 (NDKTCPIP 2.25), CVE-2020-27633 (FNET 4.6.3), CVE-2020-27634 (uIP 1.0, Contiki-OS 3.0, Contiki-NG 4.5), CVE-2020-27635 (PicoTCP 1.7.0, PicoTCP-NG), and CVE-2020-27636 (MPLAB Net 3.6.1), while the ninth has a CVSS score of 6.5 (CVE-2020-28388 – Nucleus NET 4.3).

“However, the actual severity on a particular device and TCP connection may vary depending on, for example, the use of encrypted sessions and the sensitivity of data exchanged,” Forescout’s researchers note.

With the vulnerable stacks implemented in millions of embedded devices, including IT storage systems, medical devices, remote terminal units (RTUs), and monitoring systems for wind turbines, among others.

Administrators are advised to identify devices that run the vulnerable TCP/IP stacks (Forescout has released an open-source script to aid with discovery), apply the available patches if possible, apply network segmentation to diminish risks, and use end-to-end cryptographic solutions built on top of the Network layer (IPsec).

The identified vulnerabilities were reported to the affected vendors and maintainers in October last year, and most of them have already released patches to address the bugs, except for Nut/Net developers, who are still working on a solution, and the uIP developers, who never replied to Forescout.

“Unfortunately, this type of vulnerability is also difficult to fix permanently because of the resource constraints of many embedded devices, and what is considered a secure PRNG today may be considered insecure in the future. Some stack developers opt to rely on system integrators to implement their own ISN generation, which is a fair decision, but which means not all devices using a patched stack will be secure automatically,” the researchers conclude.

Related: CISA Issues ICS Advisory for New Vulnerabilities in Treck TCP/IP Stack

Related: Siemens, Schneider Electric Address Serious Vulnerabilities in ICS Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.