Thirty-three vulnerabilities in four open-source TCP/IP stacks may affect the security of millions of internet-connected devices from 150 manufacturers, according to researchers from Forescout. The report means IT administrators have to be on the lookout for security updates from vendors who use open source stacks.
Collectively dubbed Amnesia:33, the company said in a report issued Monday that the vulnerabilities in the stacks — uIP, PicoTCP, FNET, and Nut/Net — could allow remote code execution (RCE), denial of service (DoS via crash or infinite loop), information leak (infoleak) and DNS cache poisoning.
Within those stacks seven different components (DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS) are affected. Two vulnerabilities only affect 6LoWPAN wireless devices.
With remote code execution an attacker could take control of an internet-connected device and use it as a pivot point for lateral movement, as a persistence point on the target network or as the final target of an attack, the report points out.
“For enterprise organizations, this means they are at increased risk of having their network compromised or having malicious actors undermining their business continuity. For consumers, this means that their IoT devices may be used as part of large attack campaigns, such as botnets, without them being aware,” Forescout said. “It is difficult to assess the full impact of Amnesia:33 because the vulnerable stacks are widely spread (across diverse IoT, OT and IT devices in different verticals), highly modular (with several combinations of enabled features and settings) and often incorporated in embedded components, such as systems-on-a-chip (SoCs), that are later used by device manufacturers. For the same reasons, these vulnerabilities tend to be very hard to eradicate.”
The report suggests a huge range of products that could be affected including environmental sensors (e.g., temperature, humidity), smart lights, smart plugs, barcode readers, specialized printers, and audio systems for retail, industrial control systems (including RTUs, protocol gateways and serial-to-Ethernet gateways) and IT equipment (printers, switches and wireless access points).
Forescout has shared its findings with co-ordinating agencies (such as the ICS-CERT and the CERT/CC), which have contacted the identified vendors. Some have already confirmed the vulnerabilities and issued their patches, the report says, but several are still investigating.
This isn’t the first group of weaknesses found in TCP/IP stacks recently, the report notes. Studies that have resulted in the discoveries of the Ripple20 vulnerabilities on the Treck TCP/IP stack that affected millions of devices and the Bad Neighbor vulnerability on the ICMPv6 component of the Windows TCP/IP stack.
Forescout urges CIOs/CISOs to:
- Assess your risk: Organizations should perform a thorough risk assessment before deploying mitigations;
- Patch when possible: The best mitigation is to identify and patch vulnerable devices. However, this is easier said than done because:
- Patches may not be available for an embedded component from the IoT or OT device vendor
- Patching an embedded component directly may void the device manufacturer’s warranty
- A device may be part of a mission-critical function or high-availability business operation and may not be patchable until a scheduled maintenance window at a future time.
- Segment to mitigate risk: For IoT and OT devices that cannot be patched, use segmentation to minimize their network exposure and likelihood of compromise;
- Disable or block IPv6 traffic: Since several vulnerabilities in Amnesia:33 are related to IPv6 components, disable or block IPv6 traffic whenever it is not needed in the network;
- Rely on internal DNS servers: Configure devices to rely on internal DNS servers whenever possible and closely monitor external DNS traffic, as several vulnerabilities in Amnesia:33 are related to DNS clients, which require a malicious DNS server to reply with malicious packets;
- Monitor for malformed packets.