Forescout researchers have discovered nine vulnerabilities affecting nine different TCP/IP stacks widely used in IoT and OT devices.
The vulnerabilities are due to weak Initial Sequence Number (ISN) generation, and could be exploited to mount limited DoS attacks against the vulnerable devices, to inject malicious data on a device, or to bypass authentication.
The vulnerable TCP/IP stacks
“TCP is a connection-oriented networking protocol that allows two endpoints to exchange data. TCP is one of the protocols used in the TCP/IP Transport Layer, and it aims for ordered and error-checked delivery of data between network endpoints,” the researchers explained.
“ISNs ensure that every TCP connection between two devices is unique and that there are no collisions, preventing third parties from interfering with an ongoing connection. To guarantee these properties, ISNs must be randomly generated so that an attacker cannot guess an ISN and hijack an ongoing connection or spoof a new one.”
Unfortunately, the vulnerable stacks are either not using a pseudorandom number generator (PRNG) to generate ISN values or use a weak PRNG algorithm.
The researchers probed 11 TCP/IP stacks, seven of which are open-source (uIP, FNET, picoTCP, Nut/Net, lwIP, cycloneTCP and uC/TCP-IP), and the rest include Microchip’s MPLAB Net, Texas Instruments’ NDKTCPIP, ARM’s Nanostack and Siemens’ Nucleus NET.
They discovered that lwIP and Nanostack were not vulnerable, but the rest were, and that the vulnerabilities allow attackers to predict the ISN of existing TCP connections or new ones.
The CVEs and the specific descriptions of each vulnerability can be found here.
Patching and mitigation
The good news is that most vendors have already issued patches and/or mitigation advice (though the developers of Nut/Net are still working on a solution, and uIP developers have yet to respond to Forescout‘s reporting).
The bad news is that patching all the affected devices out there – and these include medical devices, wind turbine monitoring systems, remote terminal units (RTUs) and IT storage systems (among others) – is unlikely to happen, because embedded devices are notoriously difficult to manage and update as they are often a part of mission-critical infrastructure,.
Nevertheless, they advised administrators to discover and inventory devices that run a vulnerable TCP/IP stack (and provided an open-source script that can help them), and to implement a patch when possible.
“For vulnerable IoT and OT devices, use segmentation to minimize their network exposure and the likelihood of compromise without impacting mission-critical functions or business operations. Segmentation and zoning also limit the blast radius and business impact if a vulnerable device becomes compromised,” they also recommended.
Finally, deploying IPsec can help defend against TCP spoofing and connection reset attacks.