Security researchers have disclosed today 33 security flaws in four open-source TCP/IP libraries currently used inside the firmware of products from more than 150 vendors.
Forescout researchers estimate that millions of consumer and industrial-grade devices are currently impacted by the security flaws they discovered, and which they named Amnesia:33.
SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)
Impacted systems include anything you can think of, including smartphones, gaming consoles, sensors, system-on-a-chip (SOC) boards, HVAC systems, printers, routers, switches, IP cameras, self-checkout kiosks, RFID asset trackers, badge readers, uninterruptible power supplies, and all sorts of industrial equipment.
The wide impact of the Amensia:33 vulnerabilities can be explained by location of the security flaws — namely in four widely used open-source libraries: uIP, FNET, picoTCP, and Nut/Net.
Over the past two decades, device makers have often added one of these four libraries to the firmware of their devices to allow their products to support TCP/IP, today's most widely used networking communications protocols.
Due to the crucial functions they provide to a device, Forescout says that if exploited, the 33 vulnerabilities would allow an attacker to perform a wide range of attacks, such as:
However, exploiting any devices using one of the Amnesia:33 bugs depends on which devices a company uses and where the devices are deployed across its network.
For example, by their nature, routers can be exploited remotely, as they are usually connected to a company's external interface. Other devices, like sensors and industrial equipment, might require that attackers gain access to a company's internal network first.
Forescout said it found the Amensia:33 bugs as part of a research project they started earlier this year, named Project Memoria.
Inspired by the discovery of the Urgent/11 and Ripple20 and vulnerabilities in the IPnet and Treck TCP/IP stack last year, Forescout's Project Memoria analyzed the security of seven other TCP/IP libraries in search of similar dangerous vulnerabilities.
"To perform our analysis, we used a combination of automated fuzzing (white-box code instrumentation based on libFuzzer), manual analysis guided by variant hunting using the Joern code querying engine and a pre-existing corpus of vulnerabilities [...] and manual code review," the research team said today.
"In our study, we did not find any vulnerability in the lwIP, uC/TCP-IP, and CycloneTCP stacks.
"Although this does not imply that there are no flaws in these stacks, we observed that the three stacks have very consistent bounds checking and generally do not rely on shotgun parsing, one of the most common anti-patterns we identified," researchers added.
But while the Amnesia:33 bugs were easy to discover and patch, the real work only now begins. Just like in the case of the Urgent/11 and Ripple20 vulnerabilities, device vendors will need to take the updated TCP/IP stacks and integrate them as firmware updates to their products.
While in some cases —like smartphones or networking equipment— this might be an easy task due to over-the-air update mechanisms included with some of these products, many other vulnerable devices don't even ship with the ability to update the firmware, meaning some equipment will most likely remain vulnerable for the rest of their shelf life.
In these cases, companies will either need to replace devices, or deploy countermeasures to prevent the exploitation of any of the Amnesia:33 vulnerabilities.
However, Forescout says that even detecting these bugs is a monumental task, primarily because many devices these days don't come with a software bill of materials, and companies won't even know they are running systems that use one of the four TCP/IP stacks vulnerable to Amensia:33 attacks.
In other words, the smart device ecosystem remains a mess and will most likely remain a security disaster for years to come. According to Forescout, all of this comes down to bad coding practices, such as an absence of basic input validation and shotgun parsing, the primary issues at the heart of the Urgent/11, Ripple20, and Amnesia:33 vulnerabilities.
To learn more about the Amnesia:33 bugs, Forescout has provided a 47-page explainer as a PDF document. Shorter summaries are available on Forescout's Amnesia:33 research page.
Below is a list of all the Amnesia:33 vulnerabilities, extracted from the 47-page PDF document.