Several new critical flaws have been discovered in multiple embedded TCP/IP stacks that affects millions of IoT devices ranging from networking equipment and medical devices to industrial control systems. These devices could be exploited by a threat actor to take control of a vulnerable system.
Forescout researchers have disclosed the flaws which has been collectively named as”AMNESIA:33.” It is a set of 33 vulnerabilities that impact four open-source TCP/IP protocol stacks — uIP, FNET, picoTCP, and Nut/Net — that are commonly used in Internet-of-Things (IoT) and embedded devices.
On successful exploitation of these flaws, it can cause memory corruption, allowing attackers to compromise devices, execute malicious code, perform denial-of-service (DoS) attacks, steal sensitive information, and even poison DNS cache.
The flaws were discovered as part of Forescout’s Project Memoria initiative to study the security of TCP/IP stacks.
The CISA ICS-CERT have issued a security advisory in order to provide early notice of the reported vulnerabilities and identify preventive measures for mitigating the risks.
It is estimated that millions of devices from around 158 vendors are vulnerable to AMNESIA:33, with the possibility of remote code execution allowing an adversary to take complete control of a device, and using it as an entry point on a network of IoT devices to laterally move, establish persistence, and co-opt the compromised systems into botnets without their knowledge.
The researchers said that AMNESIA:33 affects multiple open-source TCP/IP stacks that are not owned by a single company. So, a single vulnerability tends to spread easily and silently across multiple codebases, development teams, companies and products, which presents significant challenges to patch management.
AMNESIA:33 stems from out-of-bounds writes, overflow flaws, or a lack of input validation, leading to memory corruption and enabling an attacker to put devices into infinite loops, poison DNS caches, and extract arbitrary data.
Three of the most severe issues reside in uIP (CVE-2020-24336), picoTCP (CVE-2020-24338), and Nut/Net (CVE-2020-25111), all of which are remote code execution (RCE) flaws and have a severity of 9.8 out of a maximum of 10.
CVE-2020-24336 – The code for parsing DNS records in DNS response packets sent over NAT64 does not validate the length field of the response records, allowing attackers to corrupt memory.
CVE-2020-24338 – The function that parses domain names lacks bounds checks, allowing attackers to corrupt memory with crafted DNS packets.
CVE-2020-25111 – A heap buffer overflow occurring during the processing of the name field of a DNS response resource record, allowing an attacker to corrupt adjacent memory by writing an arbitrary number of bytes to an allocated buffer.
The vendors, Microchip Technology and Siemens have been affected by the reported vulnerabilities and they have also released security advisories.
Embedded systems, such as IoT devices, have long vulnerability lifespans due to a combination of patching issues, long support lifecycles and vulnerabilities ‘trickling down’ highly complex and opaque supply chains. So, the vulnerabilities in embedded TCP/IP stacks have the potential to affect millions – even billions – of devices across verticals and can be a problem for a very long time.
CISA urges all organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. They also recommend minimizing network exposure, isolating control system networks and remote devices behind firewalls, and using Virtual Private Networks (VPNs) for secure remote access.
Image Credits : Forescout