Getty Images/iStockphoto

CISA Warns More Critical Flaws Found in Open Source TCP/IP Stacks

Forescout discovered further critical vulnerabilities found in open source TCP/IP stacks. CISA warns a successful exploit could allow an attacker to take control of connections.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released an alert, which details further critical vulnerabilities found in a range of open source TCP/IP stacks, which could allow an attacker to take control of connections, among other malicious activities.

The TCP/IP stack, or internet protocol suite, are a set of four layers that make up communication protocols used by certain networks and the internet, including HTTP and FTP. These are widely used across a range of sectors for network communication.

“Security controls exist for network communications at each layer of the TCP/IP model,” according to NIST.  “Data is passed from the highest to the lowest layer, with each layer adding more information.”

“Because of this, a security control at a higher layer cannot provide protection for lower layers, because the lower layers perform functions of which the higher layers are not aware,” it added.

The alert follows several previous warnings on TCP/IP stack vulnerabilities, such as Amnesia:33 and Ripple20. These flaws impacted more than 150 vendors and millions of IoT, IT, and OT devices, including those in healthcare and millions of medical devices.

The latest vulnerability disclosure has been dubbed NUMBER:JACK and is the second phase of research post AMNESIA:33 from Forescout. In total, the researchers found nine Initial Sequence Number (ISN) generation vulnerabilities, out of 11 analyzed stacks.

“ISNs ensure that every TCP connection between two devices is unique and that there are no collisions, preventing third parties from interfering with an ongoing connection,” researchers explained. “To guarantee these properties, ISNs must be randomly generated so that an attacker cannot guess an ISN and hijack an ongoing connection or spoof a new one.”

“As discussed below, in many of the TCP/IP stacks that Forescout analyzed, ISNs are improperly generated, thereby leaving TCP connections of a device open to attacks,” they added.

A successful exploit of the weak ISN could allow an attacker to bypass authentication, hijack or spoof TCP connections, launch denial-of-service conditions, or even inject malicious data.

These flaws are technically not as critical as the previously disclosed vulnerabilities but they are more prevalent. Most of the flaws are found in stacks used primarily in embedded systems, which could further expand on the impact of a successful exploit.

The impacted products include: Nut/Net, CycloneTCP, NDKTCPIP, FNET, uIP-Contiki, uC/TCP-IP, picoTCP, MPLAB Net, and Nucleus NET and ReadyStart for ARM, MIPS, and PPC.

Some of the vulnerabilities include Nut/Net software relying on highly predictable source values and leveraging consistent increments to generate ISN, which could enable spoofing. These flaws are consistent throughout the impacted products, though varying on the cause of the value weaknesses.

The concern is that there are several known public use cases of the impacted TCP/IP connections, including a range of medical devices, IT storage systems, and a host of others.

What’s more, Forescout noted that these vulnerabilities have previously been used to break into general-purpose computers. After the exploit, it was thought that the vulnerabilities were fixed but Google later discovered the same vulnerabilities. The latest discovery determined many of the same ISN flaws remained in these impacted stacks.

For the latest vulnerabilities, many of the vendors have already issued patches for these flaws but some weaknesses remain in several products.

To mitigate the risk of these vulnerabilities, it’s critical for administrators to identify and patch devices running on vulnerable stacks. Researchers stressed that it will be a challenge to successfully accomplish this necessary task, as “embedded devices are notoriously difficult to manage and update, often being part of mission-critical infrastructure.”

“Although it is challenging to identify the TCP/IP stack running on a device, there are tools to help,” researchers explained. “[For example] Nmap allows the collection of ISN metrics and performs statistical analyses to understand whether a target device suffers from weak ISN generation.”

“Monitor progressive patches released by affected device vendors and devise a remediation plan for your vulnerable asset inventory balancing business risk and business continuity requirements,” they added.

Until patches are released or an entity is able to apply the updates, the affected devices must be segmented away from the enterprise network to reduce exposure and potential impact of a successful exploit.

Forescout further recommended the use of IPSec, an end-to-end cryptographic solution built on top of the Network layer (IPsec). This would not require modification to an in-use TCP/IP stack and helps to defend against TCP spoofing and connection reset attacks. However, its use will come at the cost of network bandwidth.

CISA added that when remote access is required, entities should leverage secure methods like a Virtual Private Network (VPN). Lastly, cryptographic protocols, such as Transport Layer Security should be utilized to protect transported data.

Next Steps

Dig Deeper on Cybersecurity strategies