Forescout Research Labs has revealed a set of 33 memory corruption vulnerabilities affecting hundreds of vendors and potentially millions of Internet of Things (IoT), Industrial IoT (IIoT), Internet of Medical Things (IoMT), operational technology (OT), and IT devices worldwide.
Dubbed AMNESIA:33, the vulnerabilities affect four open-source TCP/IP stacks: uIP; FNET; picoTCP; and Nut/Net. These open-source stacks serve as the foundation for many connected devices around the world, including the operating systems for embedded devices, systems-on-a-chip, networking equipment, OT devices and a myriad of enterprise and consumer IoT devices.
Four of the vulnerabilities in AMNESIA:33 is critical as they create the potential for remote code execution on certain devices. That means an attacker exploiting these vulnerabilities could take full control of a device, use it as an entry point of attack on a network, as a pivot point for lateral movement, as a persistence point on the target network, or as the final target of an attack. The vulnerabilities also allow for denial of service and information leaks.
TCP/IP stacks are critical components of all IP-connected devices, including IoT and OT, since they enable basic network communication. Open-source stacks, like the ones affected by AMNESIA:33, are not owned by a single company and are used across multiple codebases, development teams, companies and products.
Many of the vulnerabilities reported within AMNESIA:33 can be attributed to bad software development practices, such as an absence of basic input validation. AMNESIA:33 also raises broader questions around due diligence, ethics and a sense of responsibility when it comes to the manufacture and supply of these devices. It’s time for the industry as whole to step in to address these issues and collaborate on a framework or set of standards that will assist with the design and manufacturing of devices to prevent these inherent vulnerabilities being widely distributed around the globe.
Because of the nature of these vulnerabilities, patching them can be difficult or impossible. Manufacturers are not required to disclose the TCP/IP components that make up the devices they sell, which means it can be difficult to identify which devices are affected in order to mitigate the risk. Forescout recommends adopting solutions that provide granular device visibility and the ability to monitor network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities.
Forescout Research Labs has committed to continue advancing the understanding of common bugs behind the vulnerabilities in TCP/IP stacks, identifying the threats they pose to the extended enterprise, and how to mitigate those. AMNESIA:33 is the first study under this long-term project, dubbed Project Memoria, that will include Forescout researchers as well as those from the broader cybersecurity community.
The reality is, once hackers realise the potential here and exploits are developed, we will see a spike in attacks on these devices. These types of vulnerabilities are now pervasive across the enterprise and we will continue to find more examples in existing and unpatchable devices as well as in the new devices being added to networks to enable new applications.