Vulnerable TCP/IP stacks open millions of IoT and OT devices to attack
Forescout researchers have discovered 33 vulnerabilities affecting four open source TCP/IP (communications) stacks used in millions of connected devices worldwide.
Collectively dubbed Amnesia:33 because they primarily cause memory corruption, these vulnerabilities may allow attackers to remotely compromise devices, execute malicious code, perform denial-of-service attacks, steal sensitive information or inject malicious DNS records to point a device to an attacker-controlled domain.
About the vulnerable TCP/IP stacks
The vulnerable open source TCP/IP stacks are PicoTCP, FNET, Nut/Net and uIP (the latter started as a standalone project then became part of the Contiki OS). The vulnerabilities have been found in seven different stack components: DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS.
“The AMNESIA:33 vulnerabilities can be found in products that range from embedded components (such as Systems on a Chip – SoCs, connectivity modules and OEM boards) to consumer IoT (such as smart plugs and smart thermostats), and from networking and office equipment (such as printers, switches and server software) to OT (such as access control devices, IP Cameras, RTUs and HVAC),” the researchers explained.
The vulnerabilities and their possible impact have been detailed here. Though, it has to be pointed out, the final impact depends on the specific devices using the vulnerable stack and the context within which they are used.
For example, a DoS vulnerability is not usually considered to be critical, but if it impacts devices in critical OT environments, where availability is important, it might be.
“RCEs in critical embedded devices can be used to commit fraud in a smart meter, breach corporate networks via building automation and routers, VPNs, firewalls or gateways, or attempt to cause physical damage on a safety controller,” the researchers added.
A vulnerability management nightmare
Since the flaws affect multiple open source TCP/IP stacks, it’s difficult to definitely list all the affected devices out there. Also, because of the many forks, branches and unsupported (yet available) versions, patching will be difficult and simply won’t happen in too many cases.
“We contacted the ICS-CERT and the CERT Coordination Center to help in the disclosure, patching and vendor communication for the AMNESIA:33 vulnerabilities. They in turn got the help of GitHub’s security team to find and contact affected repositories,” the researchers noted.
“Despite much effort from all the parties, official patches were only issued by the Contiki-NG, PicoTCP-NG, FNET and Nut/Net projects. At the time of writing, no official patches have been issued for the original uIP, Contiki and PicoTCP projects, which we believe have reached end-of-life status but are still available for download. Some of the vendors and projects using these original stacks, such as open-iscsi, issued their own patches.”
More information about patches and confirmed vulnerable devices can be found in CERT/CC’s vulnerability note.
All in all, this is going to be a risk mitigation challenge, especially for organizations. Many IoT devices don’t come with a Software Bill of Materials (SBoM) and finding out which OS, firmware, or TCP/IP stack each device uses will be a time-consuming exercise. Finally, even if enterprise security staff gets that information, patches might never become available.
Forescout researchers recommends companies to adopt solutions that provide granular device visibility, allow the monitoring of network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities.
“Software supply chain security is particularly challenging when it comes to IoT. The highly competitive IoT ecosystem remains a significant breeding ground for flawed software due to complex supply chains that propagate vulnerabilities, yet flaws are often difficult to patch,” commented Ilkka Turunen, Global Director of Solutions Architecture, Sonatype.
“Proposed legislation by the UK government to secure IoT devices should also help mitigate threats in the long term, but there needs to be greater onus on manufacturers to take responsibility for what goes into their products. The tools are available to enable manufacturers to build security into their applications, so failure to do so should amount to gross negligence. No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, so why should the software components in connected devices be any different? Instead, manufacturers should be able to certify that their software, and their devices, are secure at the time of shipping, and should ensure their security updates last for the mandated time. Only with a combined effort from manufacturers and businesses, backed by IoT legislation, can we be confident of proper software hygiene in the ever-expanding connected ecosystem.”
Security research into TCP/IP stacks has just begun
This is not the first time that TCP/IP stacks have been found to be vulnerable to attack. In late 2019, Armis researchers revealed 11 vulnerabilities in IPnet, a TCP/IP stack used in Wind River VxWorks, a real-time operating system used by more than two billion devices across industrial, medical and enterprise environments.
Then, in June 2020, JSOF researchers disclosed 20 vulnerabilities in the Treck TCP/IP library, used in hundreds of millions of IoT and OT devices.
Forescout’s research is the first study that has been published under Project Memoria, “an initiative with the mission of providing the community with the largest study on the security of TCP/IP stacks.” Additional research (and vulnerabilities) will be shared in the future, the researchers announced.