Amnesia:33 vulnerabilities impact millions of smart and industrial devices

Security researchers have identified 33 security flaws in four open-source TCP/IP stacks used across a wide range of smart products.
Written by Catalin Cimpanu, Contributor
Image: Forescout

Security researchers have disclosed today 33 security flaws in four open-source TCP/IP libraries currently used inside the firmware of products from more than 150 vendors.

Forescout researchers estimate that millions of consumer and industrial-grade devices are currently impacted by the security flaws they discovered, and which they named Amnesia:33.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

Impacted systems include anything you can think of, including smartphones, gaming consoles, sensors, system-on-a-chip (SOC) boards, HVAC systems, printers, routers, switches, IP cameras, self-checkout kiosks, RFID asset trackers, badge readers, uninterruptible power supplies, and all sorts of industrial equipment.

Amnesia:33 bugs reside in four open-source TCP/IP stacks

The wide impact of the Amensia:33 vulnerabilities can be explained by location of the security flaws — namely in four widely used open-source libraries: uIPFNETpicoTCP, and Nut/Net.

Over the past two decades, device makers have often added one of these four libraries to the firmware of their devices to allow their products to support TCP/IP, today's most widely used networking communications protocols.

Due to the crucial functions they provide to a device, Forescout says that if exploited, the 33 vulnerabilities would allow an attacker to perform a wide range of attacks, such as:

  • Remote code execution (RCE) to take control of a target device.
  • Denial of service (DoS) to impair functionality and impact business operations.
  • Information leak (infoleak) to acquire potentially sensitive information.
  • DNS cache poisoning attacks to point a device to a malicious website.

However, exploiting any devices using one of the Amnesia:33 bugs depends on which devices a company uses and where the devices are deployed across its network.

For example, by their nature, routers can be exploited remotely, as they are usually connected to a company's external interface. Other devices, like sensors and industrial equipment, might require that attackers gain access to a company's internal network first.

Project Memoria: From Ripple20 to Amnesia:30

Forescout said it found the Amensia:33 bugs as part of a research project they started earlier this year, named Project Memoria.

Inspired by the discovery of the Urgent/11 and Ripple20 and vulnerabilities in the IPnet and Treck TCP/IP stack last year, Forescout's Project Memoria analyzed the security of seven other TCP/IP libraries in search of similar dangerous vulnerabilities.

Image: Forescout

"To perform our analysis, we used a combination of automated fuzzing (white-box code instrumentation based on libFuzzer), manual analysis guided by variant hunting using the Joern code querying engine and a pre-existing corpus of vulnerabilities [...] and manual code review," the research team said today.

"In our study, we did not find any vulnerability in the lwIPuC/TCP-IP, and CycloneTCP stacks.

"Although this does not imply that there are no flaws in these stacks, we observed that the three stacks have very consistent bounds checking and generally do not rely on shotgun parsing, one of the most common anti-patterns we identified," researchers added.

Image: Forescout

But while the Amnesia:33 bugs were easy to discover and patch, the real work only now begins. Just like in the case of the Urgent/11 and Ripple20 vulnerabilities, device vendors will need to take the updated TCP/IP stacks and integrate them as firmware updates to their products.

While in some cases —like smartphones or networking equipment— this might be an easy task due to over-the-air update mechanisms included with some of these products, many other vulnerable devices don't even ship with the ability to update the firmware, meaning some equipment will most likely remain vulnerable for the rest of their shelf life.

In these cases, companies will either need to replace devices, or deploy countermeasures to prevent the exploitation of any of the Amnesia:33 vulnerabilities.

However, Forescout says that even detecting these bugs is a monumental task, primarily because many devices these days don't come with a software bill of materials, and companies won't even know they are running systems that use one of the four TCP/IP stacks vulnerable to Amensia:33 attacks.

In other words, the smart device ecosystem remains a mess and will most likely remain a security disaster for years to come. According to Forescout, all of this comes down to bad coding practices, such as an absence of basic input validation and shotgun parsing, the primary issues at the heart of the Urgent/11, Ripple20, and Amnesia:33 vulnerabilities.

To learn more about the Amnesia:33 bugs, Forescout has provided a 47-page explainer as a PDF document. Shorter summaries are available on Forescout's Amnesia:33 research page.

Below is a list of all the Amnesia:33 vulnerabilities, extracted from the 47-page PDF document.

Image: Forescout
Image: Forescout
Image: Forescout
Image: Forescout
Editorial standards