Researchers – as well as the U.S. Cybersecurity Infrastructure Security Agency (CISA) – are warning of a set of serious vulnerabilities affecting TCP/IP stacks. The flaws impact millions of internet-of-things (IoT) devices and embedded systems, including smart thermometers, smart plugs and printers.
The 33 vulnerabilities – four of which are critical – are dubbed Amnesia:33 by Forescout researchers who discovered them. They could enable a range of malicious attacks – from memory corruption to denial of service, and information leaks to remote code execution, Forescout researcher Daniel dos Santos said during this week’s Threatpost podcast.
Also, check out our podcast microsite, where we go beyond the headlines on the latest news.
“Exploiting these vulnerabilities could allow an attacker to take control of a device, thus using it as an entry point on a network (for internet-connected devices), as a pivot point for lateral movement, as a persistence point on the target network or as the final target of an attack,” Forescout researchers said in a Tuesday report.
The name “Amnesia:33” refers to the fact that most of the flaws stem from memory corruption – coupled with the fact that there are 33 flaws.
While researchers did not specify which vendors and specific devices were affected by the set of vulnerabilities, they said at least 150 vendors were affected. Many of the issues behind Amnesia:33 stem from bad software development practices, such as an absence of basic input validation, said researchers.
The flaws are found in four (out of seven analyzed) TCP/IP stacks (including uIP, picoTCP, FNET and Nut/Net), which are a set of communication protocols used by internet-connected devices. Because multiple open-source TCP/IP stacks are affected, which are not owned by a single company, it presents tough patch management challenges for Amnesia:33, warned researchers.
TCP/IP issues have previously been found with related vulnerability sets, Ripple20 and Urgent/11.
While four TCP/IP stacks were affected, researchers warn that several of these stacks have branched out or are used in multiple code bases, posing further patch management difficulties.
“Despite much effort from all the parties, official patches were only issued by the Contiki-NG, PicoTCP-NG, FNET and Nut/Net projects,” said researchers. “At the time of writing, no official patches have been issued for the original uIP, Contiki and PicoTCP projects, which we believe have reached end-of-life status but are still available for download. Some of the vendors and projects using these original stacks, such as open-iscsi, issued their own patches.”
In terms of mitigation, researchers recommend various coursees of action in protecting networks from the Amnesia:33 TCP/IP flaws, including disabling or blocking IPv6 traffic when it’s not necessary; configuring devices to rely on internal DNS servers as much as possible; and monitoring all network traffic for malformed packets that try to exploit known flaws.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.