Cybersecurity researchers disclosed a dozen new flaws in multiple widely-used embedded TCP/IP stacks impacting millions of devices ranging from networking equipment and medical devices to industrial control systems that could be exploited by an attacker to take control of a vulnerable system.
Collectively called “AMNESIA:33” by Forescout researchers, it is a set of 33 vulnerabilities that impact four open-source TCP/IP protocol stacks — uIP, FNET, picoTCP, and Nut/Net — that are commonly used in Internet-of-Things (IoT) and embedded devices.
As a consequence of improper memory management, successful exploitation of these flaws could cause memory corruption, allowing attackers to compromise devices, execute malicious code, performing denial-of-service (DoS) attacks, steal sensitive information, and even poison DNS cache.
In the real world, these attacks could play out in various ways: disrupting the functioning of a power station to result in a blackout or taking smoke alarm and temperature monitor systems offline by using any of the DoS vulnerabilities.
The flaws, which will be detailed today at the Black Hat Europe Security Conference, were discovered as part of Forescout’s Project Memoria initiative to study the security of TCP/IP stacks.
The development has prompted the CISA ICS-CERT to issue a security advisory in an attempt to provide early notice of the reported vulnerabilities and identify baseline preventive measures for mitigating risks associated with the flaws.
Millions of devices from an estimated 158 vendors are vulnerable to AMNESIA:33, with the possibility of remote code execution allowing an adversary to take complete control of a device, and using it as an entry point on a network of IoT devices to laterally move, establish persistence, and co-opt the compromised systems into botnets without their knowledge.
“AMNESIA:33 affects multiple open source TCP/IP stacks that are not owned by a single company,” the researchers said. “This means that a single vulnerability tends to spread easily and silently across multiple codebases, development teams, companies and products, which presents significant challenges to patch management.”
Because these vulnerabilities span across a complex IoT supply chain, Forescout cautioned it’s as challenging it is to determine which devices are affected as they are hard to eradicate.
Like the Urgent/11 and Ripple20 flaws that were disclosed in recent times, AMNESIA:33 stems from out-of-bounds writes, overflow flaws, or a lack of input validation, leading to memory corruption and enabling an attacker to put devices into infinite loops, poison DNS caches, and extract arbitrary data.
Three of the most severe issues reside in uIP (CVE-2020-24336), picoTCP (CVE-2020-24338), and Nut/Net (CVE-2020-25111), all of which are remote code execution (RCE) flaws and have a CVSS score of 9.8 out of a maximum of 10.
- CVE-2020-24336 – The code for parsing DNS records in DNS response packets sent over NAT64 does not validate the length field of the response records, allowing attackers to corrupt memory.
- CVE-2020-24338 – The function that parses domain names lacks bounds checks, allowing attackers to corrupt memory with crafted DNS packets.
- CVE-2020-25111 – A heap buffer overflow occurring during the processing of the name field of a DNS response resource record, allowing an attacker to corrupt adjacent memory by writing an arbitrary number of bytes to an allocated buffer.
As of writing, vendors such as Microchip Technology and Siemens that have been affected by the reported vulnerabilities have also released security advisories.
“Embedded systems, such as IoT and [operational technology] devices, tend to have long vulnerability lifespans resulting from a combination of patching issues, long support lifecycles and vulnerabilities ‘trickling down’ highly complex and opaque supply chains,” Forescout said.
“As a result, vulnerabilities in embedded TCP/IP stacks have the potential to affect millions – even billions – of devices across verticals and tend to remain a problem for a very long time.”
Besides urging organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures, CISA has recommended minimizing network exposure, isolating control system networks and remote devices behind firewalls, and using Virtual Private Networks (VPNs) for secure remote access.