Forescout Research Labs last month released a 14-page white paper and a 47-page research report detailing 33 vulnerabilities affecting millions of Internet of Things (IoT), Operational Technology (OT), and IT devices. Dubbed AMNESIA:33, these newly identified vulnerabilities include four broadly used TCP/IP stacks and have left more than 150 vendors potentially compromised.
Forescout’s findings are the first published study under Project Memoria, an initiative to understand the flaws and threats rooted in TCP/IP stacks for organizations. Malicious actors familiar with the vulnerabilities can use a number of devices to gain access, move laterally within networks, and cause extensive damage. Because AMNESIA:33 affects an expansive code network with deeply embedded subsystems, the task of identifying and patching vulnerable devices for your organization is as daunting as it is essential.
This article will touch on TCP/IP stacks’ role in network security, the critical vulnerabilities identified by Forescout, and immediate steps to mitigate AMNESIA:33 attacks.
Also Read: How to Build & Run a Threat Hunting Program
TCP/IP: Ubiquitous and insecure
The communication protocols used in internet-capable devices are commonly known as TCP/IP stacks, short for Transmission Control Protocol (TCP) and Internet Protocol (IP). Their implementation within networks dates back to the beginning of modern computing and still serves as a fundamental component of most devices, so they are ubiquitous – and more exploitable than imagined.
Today, TCP/IP stacks exist as automated applications on almost every computing platform. The set of rules TCP and IP enable control how packets move between devices. TCP manages the secure transportation of identified packets across internet-connected networks, while IP authorizes the specific destination of packets. The four TCP/IP protocol layers are the link layer, internet layer, transport layer, and application layer. While the latter two layers are most familiar to IT professionals managing network security, the TCP/IP model’s roots in the deeper layers make AMNESIA:33 so dangerous.
Last August, Forescout collaborated with JSOF in reporting on the Ripple20 disclosure. When this research showed that TCP/IP security bugs weren’t limited to a few vendor-specific stacks, Project Memoria was launched to expand the study of these vulnerabilities. Before AMNESIA:33, news of 19 vulnerabilities impacting hundreds of millions of devices in the Trek TCP/IP stack, dubbed Ripple20, was the most reported to date.
As to why Project Memoria focuses on TCP/IP security, the answer is simple: the implementation of open source software often includes embedded TCP/IP stacks that users rarely notice.
The thirty-three newly identified flaws collectively dubbed AMNESIA:33 nearly equal the sum of similar vulnerabilities discovered since 2013.
Also Read: 5 Essential IoT Security Best Practices
Affected TCP/IP stacks
For their analysis, Forescout selected a sample of seven open source embedded TCP/IP stacks, all used or supported by popular open source RTOS (real-time operating systems). With a combination of automated fuzzing based on libFuzzer and static analysis based on Joern code, four of the seven stacks presented vulnerabilities: uIP, picoTCP, FNET, and Nut/Net. Fuzzing found 11 vulnerabilities between uIP and picoTCP, while the remaining 22 vulnerabilities were split between the four stacks.
Forescout’s research touches on each vulnerability and its affected components, anti-patterns, exploitability, and potential impact. Stack components impacted include DNS, IPv6, IPv4, TCP, ICMP, LLMNR, and mDNS. Forescout found DNS to be the most vulnerable due to its complexity, with TCP and IPv4 and IPv6 sub-stacks not far behind.
The 33 stack vulnerabilities amount to 38 potential impacts to organizations, with a handful of vulnerabilities giving actors multiple options. The breakdown of the possible attacks rooted in AMNESIA:33 are:
- Denial of Service (DoS): 26
- Information Leaks: 6
- Remote Code Execution (RCE): 4
- DNS Cache Poisoning: 2
The millions of devices impacted by AMNESIA:33 stacks include embedded device components and network, office, consumer IoT, and OT devices.
|Embedded Components||Processors and operating systems like Systems on a Chip (SoC), connectivity modules, and OEM boards|
|Network & Office||Appliances that aid in network traffic between devices like printers, routers, and servers|
|Consumer Internet of Things (IoT)||Physical devices enabled for communication locally and in an external environment, e.g., smart devices, sensors, and game consoles|
|Operational Technology (OT)||Computing systems implemented in industrial operations such as access controls, IP cameras, protocol gateways, and HVACs|
Forescout notes enterprise and home network IoT, OT, and IT devices are often compiled with a “mixed and matched” component design. This swath of components that end up on embedded devices is hardly noticed, never mind inspected by end consumers for potential vulnerabilities.
AMNESIA:33 leaves devices and networks open to four potential memory corruption threats. With the right resources, actors could take full control of target devices, halt network functionality, breach sensitive information, or inject malicious DNS records. The bulk of potential impacts (79%) for AMNESIA:33 vulnerabilities are DoS attacks.
Remote Code Execution (RCE)
Remote code execution (RCE) starts with access to an initial device. The attacker can linger and move laterally through an unsecured network by gaining local administrative access, compromising data. Vulnerability assessments and penetration testing can be helpful tools in identifying potential breaches and existing malicious actors.
Denial of Service (DoS)
Denial of service (DoS) attacks deny service to legitimate users, thereby making the network inaccessible. During a DoS attack, actors overwhelm network traffic causing server malfunction or shutdown. Advancements in TCP/IP technology have done well in blocking targeted DoS packets over time, but the problem remains. In DoS attacks, both local devices and more extensive networks are potential targets for actors.
Also Read: Top Vulnerability Management Software
DNS Cache Poisoning
DNS cache poisoning, or DNS spoofing, is an attack where an actor injects faulty data into a recursive Domain Name System (DNS) server. By doing this, the attacker can redirect traffic from the organization’s network to the malicious network. From there, a user or device could unknowingly be placing sensitive information in the attacker’s lap.
Also Read: How to Prevent DNS Attacks
Mitigating AMNESIA risks
Forescout offered six recommendations for mitigating AMNESIA:33 risks:
- Assess your risk and exposure
- Rely on internal DNS servers
- Disable or block IPv6 traffic
- Segment devices to reduce risk
- Patch devices if possible
- Monitor for malformed packets
Depending on the size of your organization, completing these steps is easier said than done. In short, you can start today by logging vulnerable devices, avoiding external DNS servers, actively patching, and, if possible, disabling IP traffic during your audit.
Forescout releases TCP/IP detection tool
Forescout also released a detection tool on GitHub that can help you determine whether one of your organization’s network devices contain an AMNESIA:33 vulnerability. When run, the script uses active fingerprinting methods, like ICMP probing and TCP packet responses, to identify devices possessing stack vulnerabilities. Note that any script executions should be completed in a laboratory environment for your organization’s network.
AMNESIA:33’s impact on your organization comes down to vulnerability testing and device management on your network. If your organization isn’t taking a hands-on approach to monitoring your technology inventory, then take this event as a wake-up call. With vulnerabilities in TCP/IP stacks becoming more visible, IT managers have to be adaptable and ready to identify and patch any potential flaws that could result in an exposure. With initiatives like Project Memoria endeavoring to understand TCP/IP stacks better, there’s hope for more robust research and solutions.