Getty Images
33 TCP/IP Stack Flaws Pose Hacking Risk to Millions of IT, IoT Devices
Dubbed Amnesia:33, a group of TCP/IP Stack vulnerabilities found in millions of IT and IoT devices put these platforms at risk of hacking, remote code execution, and data loss.
A new Forescout Research Labs report disclosed a set of 33 vulnerabilities found in four open source TCP/IP stacks, foundational elements of millions of IT and IoT devices, including those in healthcare. A successful exploit could result in remote code execution, or even data loss.
Dubbed Amnesia:33, the flaws impact over 150 vendors and millions of IoT, IT, and OT devices. Researchers stressed the impact could be much greater, as vulnerable stacks are widely spread across devices, highly modular, and incorporated into undocumented, deeply embedded subsystems.
Soon after the Forescout disclosure, the CERT Coordination issued an alert on the vulnerabilities and included a list of all vendors impacted or not affected by the flaws.
Overall, the group of vulnerabilities have four categories of potential impact that include remote code execution (RCE), denial of service (DoS through crash or infinite loop), data leak, and DNS cache poisoning.
An attacker could exploit these flaws to take full control of a targeted device via RCE, impact the device function via DoS, access and or steal potentially sensitive information, or inject malicious DNS records to direct a device toward a hacker-controlled domain.
Most of the AMNESIA:33 flaws impact the DNS, IPv6, and TCP components. Forescout explained that “to exploit AMNESIA:33 vulnerabilities, an attacker needs a communication path to a vulnerable device or a routed path to an internal network.”
The affected TCP/IP stacks are found in operating systems, systems-on-a-chip, networking equipment, embedded devices, and a host of enterprise and consumer IoT devices. And the flaws are found in uIP, FNET, picoTCP and Nut/Net stacks, which are not owned by one single company.
As a result, these vulnerabilities easily spread across multiple codebases, development teams, companies and products. Thus, disclosing and identifying vulnerable devices will prove challenging, researchers explained.
The vulnerabilities join an earlier disclosure from JSOF, Ripple20: a set of 19 critical flaws found in the TCP/IP communication stack of hundreds of millions of IoT and connected devices.
The flaws were found in the low TCP/IP software library developed by Treck, which included multiple remote code execution possibilities. The healthcare sector was the most impacted by Ripple20, and much like Amnesia:33, identifying vulnerable devices has proved problematic.
The Amnesia:33 flaw impacts seven different stack components: DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS. Two flaws only affect 6LoWPAN wireless devices. Four flaws have been ranked as critical, given the risk of RCE on certain devices.
Many of the reported vulnerabilities stem from bad software development practices, including the absence of basic input validation. Memory corruption is the largest flaw, which could allow DoS, data leaks, or RCE.
“DNS appears to be a vulnerability-prone component because it is a complex, feature-rich protocol, different from many other components in the stack,” researchers explained. “Indeed, the DNS component is a client that usually communicates with a few standard servers rather than a server that communicates with many other clients.”
“This may lead to errors in the implementations,” they added.
Forescout stressed that TCP/IP substack vulnerabilities pose serious risks, as they occur independent of applications running on top of them and do not require a TCP or UDP port to be open, for a successful exploit to occur.
Further, some vulnerable implementations will first attempt to fully parse the incoming TCP/UDP packets, prior to verifying existing connections. This could result in a successful exploit, even if there aren’t any open ports. Other Amnesia:33 flaws include Out-of-Bounds Read & Write, integer overflow, and state confusion.
“Exploiting these vulnerabilities could allow an attacker to take control of a device, thus using it as an entry point on a network for internet-connected devices, as a pivot point for lateral movement, as a persistence point on the target network, or as the final target of an attack,” researchers explained.
“For enterprise organizations, this means they are at increased risk of having their network compromised or having malicious actors undermine their business continuity,” they added. “ A security flaw in a TCP/IP stack can be extremely dangerous because the code in these components may be used to process every incoming network packet that reaches a device.”
Thus, some TCP/IP stack flaws allow a device exploit, even when it’s simply on the network and not running a specific application.
Mitigation Tactics
To mitigate these risks, organizations must perform a thorough risk assessment, including identifying potentially vulnerable devices, the business context and criticality of the device, communication pathways, and internet exposure.
From the risk assessment, administrators can then determine the level of mitigation required to protect devices vulnerable to Amnesia:33.
Administrators should configure devices to rely on internal DNS servers, when possible, closely monitoring external DNS traffic, along with disabling or blocking unnecessary IPv6 network traffic.
IoT and other impacted devices deemed unpatchable must be segmented to minimize network exposure and to reduce the risk of compromise.
However, identifying and patching vulnerable devices is the best way organizations can minimize the risk posed by these vulnerabilities. Forescout noted that some patches may not be available for embedded components and directly patching could void the device manufacturer’s warranty.
“Monitor all network traffic for malformed packets (for example, having non-conforming field lengths or failing checksums) that try to exploit known vulnerabilities or possible zero days, since many vulnerabilities are related to IPv4 and other standard components of stacks,” researchers explained.
“Anomalous and malformed IP traffic should be blocked, or network operators should receive alerts regarding their presence,” they concluded. “Noncompliant devices (e.g., unpatched devices or those with weak/default credentials and legacy OSes, among others) are often the primary targets for attackers.”