Researchers at Forescout Technologies have identified 33 security vulnerabilities in four open source TCP/IP stacks (uIP, PicoTCP, FNET, and Nut/Net) that have been used in millions of devices around the world.
The details of the vulnerabilities, which Forescout is calling AMNESIA:33, will be are discussed at the Black Hat Europe 2020 conference.
AMNESIA:33 affects seven different components of the stacks (DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS). Two vulnerabilities in AMNESIA:33 only affect 6LoWPAN wireless devices, says Daniel dos Santos, a researcher at Forescout.
These cover remote code execution (RCE), denial of service (DoS via crash or infinite loop), information leak (infoleak) and DNS cache poisoning. Four of the vulnerabilities allow for remote code execution.
Generally, these vulnerabilities can be exploited to take full control of a target device (RCE), impair its functionality (DoS), obtain potentially sensitive information (infoleak) or inject malicious DNS records to point a device to an attacker-controlled domain (DNS cache poisoning). However, different devices may be affected differently by the vulnerabilities depending on how a stack is used.
More than 150 vendors and millions of devices are likely vulnerable to AMNESIA:33, says dos Santos. The findings have been shared with agencies such as ICS-CERT and the CERT/CC which have contacted the identified vendors. Some vendors have already confirmed the vulnerabilities and issued their patches, but several are still investigating.
The vulnerabilities were discovered as part of Project Memoria which is studying the security of TCP/IP stacks.
Exploiting the AMNESIA:33 vulnerabilities could allow an attacker to take control of a device, thus using it as an entry point on a network (for Internet-connected devices), as a pivot point for lateral movement, as a persistence point on the target network or as the final target of an attack.
It is difficult to assess the full impact of AMNESIA:33 because the vulnerable stacks are widely spread across diverse IoT, embedded and enterprise IT systems and are often incorporated in embedded components, such as systems-on-a-chip (SoCs).
Next: AMNESIA:33 mitigation
The largest area of concern is IoT devices, both enterprise and consumer, which includes devices such as cameras, environmental sensors such as temperature and humidity, smart lights, smart plugs, barcode readers, specialized printers, and audio systems for retail. Building Automation Systems, which includes devices such as physical access controls, fire and smoke alarms, energy meters, and HVAC systems are also vulnerable, as are Industrial Control Systems, which includes devices such as RTUs, protocol gateways and serial-to-Ethernet gateways.
The best mitigation is to identify and patch vulnerable devices. However, this is easier said than done because patches may not be available for an embedded component from the IoT or OT device vendor and patching an embedded component directly may void the device manufacturer’s warranty. A device may also be part of a mission-critical function or high-availability business operation and may not be patchable until a scheduled maintenance window at a future time.
IoT cybersecurity company Sternum says it an successfully mitigate the exploitation of these vulnerabilities using its memory and execution flow integrity solution.
“This is why real-time prevention embedded onto actual IoT devices is so critical – so you won’t need to rely on patching vulnerabilities after you’ve already been hit by a cyberattack,” said Natali Tshuva, CEO of Sternum.
“In most cases, like AMNESIA:33, patching vulnerabilities is too expensive or not even an option. Device makers need to be able to mitigate or prevent the exploitation of vulnerabilities in advance, even those that originated in 3rd party code, as so many of them cannot be fixed via traditional patching and new ones continue to appear frequently.”
Sternum recently raised $6.5m for the development of its technology.
Several of the vulnerabilities in AMNESIA:33 are related to IPv6 components, so disabling or blocking IPv6 traffic whenever it is not needed in the network can help.
Another approach is to monitor all network traffic for malformed packets, for instance, those having non-conforming field lengths or failing checksums, that try to exploit known vulnerabilities or possible zero days, since many vulnerabilities are related to IPv4 and other standard components of stacks. Anomalous and malformed IP traffic should be blocked or, at a minimum, network operators should be alerted to its presence.
- CURRENT WAVEFORM ANALYSER DETECTS HARDWARE TROJAN
- PROOF OF CONCEPT SECURITY PLATFORM PROTECTS IOT AND 5G PRIVATE NETWORKS
- HOME ROUTERS CAUGHT IN IOT BOTNET WAR
Other articles on eeNews Europe