A new set of vulnerabilities has been discovered affecting millions of routers and IoT and OT devices from more than 150 vendors, new research warns.
Researchers – as well as the U.S. Cybersecurity Infrastructure Security Agency (CISA) – are warning of a set of serious vulnerabilities affecting TCP/IP stacks. The flaws impact millions of internet-of-things (IoT) devices and embedded systems, including smart thermometers, smart plugs and printers.
The 33 vulnerabilities – four of which are critical – are dubbed Amnesia:33 by Forescout researchers who discovered them. They could enable a range of malicious attacks – from memory corruption to denial of service, and information leaks to remote code execution, Forescout researcher Daniel dos Santos said during this week’s Threatpost podcast.
(MP3 audio track of 26 minutes)
“Exploiting these vulnerabilities could allow an attacker to take control of a device, thus using it as an entry point on a network (for internet-connected devices), as a pivot point for lateral movement, as a persistence point on the target network or as the final target of an attack,” Forescout researchers said in a Tuesday report.
The name “Amnesia:33” refers to the fact that most of the flaws stem from memory corruption – coupled with the fact that there are 33 flaws.
While researchers did not specify which vendors and specific devices were affected by the set of vulnerabilities, they said at least 150 vendors were affected. Many of the issues behind Amnesia:33 stem from bad software development practices, such as an absence of basic input validation, said researchers.
The flaws are found in four (out of seven analyzed) TCP/IP stacks (including uIP, picoTCP, FNET and Nut/Net), which are a set of communication protocols used by internet-connected devices.
Because multiple open-source TCP/IP stacks are affected, which are not owned by a single company, it presents tough patch management challenges for Amnesia:33, warned researchers.
While four TCP/IP stacks were affected, researchers warn that several of these stacks have branched out or are used in multiple code bases, posing further patch management difficulties.
“Despite much effort from all the parties, official patches were only issued by the Contiki-NG, PicoTCP-NG, FNET and Nut/Net projects,” said researchers. “At the time of writing, no official patches have been issued for the original uIP, Contiki and PicoTCP projects, which we believe have reached end-of-life status but are still available for download. Some of the vendors and projects using these original stacks, such as open-iscsi, issued their own patches.”
In terms of mitigation, researchers recommend various coursees of action in protecting networks from the Amnesia:33 TCP/IP flaws, including disabling or blocking IPv6 traffic when it’s not necessary; configuring devices to rely on internal DNS servers as much as possible; and monitoring all network traffic for malformed packets that try to exploit known flaws.