New edge vulnerability revealed by Forescout
Forescout has revealed widespread vulnerabilities affecting millions of devices globally through its AMNESIA:33 study.
The nature of these vulnerabilities across many different devices, covering all aspects of business means that most organisations will be at risk.
AMNESIA:33 is a set of 33 memory-corrupting vulnerabilities affecting four open source TCP/IP stacks: uIP; FNET; picoTCP; and Nut/Net.
These open source stacks are not owned by a single company and are used across multiple codebases, development teams, companies and products. This presents significant challenges to patch management.
As a result, Forescout has identified hundreds of vendors and millions of Internet of Things (IoT), Industrial IoT (IIoT), Internet of Medical Things (IoMT), operational technology (OT), and IT devices at risk worldwide.
The TCP/IP stacks affected by AMNESIA:33 can be found in operating systems for embedded devices, systems-on-a-chip, networking equipment, OT devices and a myriad of enterprise and consumer IoT devices such as:
- IoT devices: cameras; environmental sensors (e.g., temperature, humidity); smart lights; smart plugs; barcode readers; specialised printers; retail audio systems; and healthcare devices
- building automation systems: physical access control; fire and smoke alarms; energy meters; batteries; and heating, ventilation and air conditioning (HVAC) systems
- industrial control systems: physical access control; and fire and smoke alarms.
- IT: printers; switches; and wireless access points.
TCP/IP stacks are critical components of all IP-connected devices, including IoT and OT, since they enable basic network communication.
A security flaw in a TCP/IP stack can be extremely dangerous because the code in these components may be used to process every incoming network packet that reaches a device.
This means that some vulnerabilities in a TCP/IP stack let a device be exploited simply by being connected to a network and powered on.
Many of the vulnerabilities reported within AMNESIA:33 arise from bad software development practices, such as an absence of basic input validation.
They relate mostly to memory corruption and can cause denial of service, information leaks or remote code execution.
Four of the vulnerabilities in AMNESIA:33 are critical, with potential for remote code execution on certain devices.
Exploiting these vulnerabilities could let an attacker take control of a device, using it as an entry point on a network (for internet-connected devices), as a pivot point for lateral movement, as a persistence point on the target network, or as the final target of an attack.
This means enterprise organisations are at increased risk of having their network compromised, or having malicious actors undermining their business continuity.
“The nature of vulnerabilities like AMNESIA:33 fundamentally changes our understanding of the risks posed by connected devices. Organisations are only as strong as their weakest link, and executives and boards of directors have a responsibility to understand the full spectrum of the attack surface all the way down to the supply chain level, as they deploy controls to buy-down the risk of network compromise or ensure business continuity,” says Forescout CEO Greg Clark.
Forescout Asia Pacific and Japan systems engineering senior director Steve Hunter adds, “Once hackers realise the potential here and exploits are developed, we will see a spike in attacks on these devices. These types of vulnerabilities are now pervasive across the enterprise and we will continue to find more examples in existing and unpatchable devices as well as in the new devices being added to networks to enable new applications.”
Due to the complexity of identifying and patching vulnerable devices, vulnerability management for TCP/IP stacks is becoming a challenge for the security community.
Forescout recommends adopting solutions that provide granular device visibility and the ability to monitor network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities.
AMNESIA:33 is the first study under Project Memoria, an initiative launched by Forescout Research Labs that aims at providing the community with the largest study on the security of TCP/IP stacks.
Project Memoria’s goal is to develop the understanding of common bugs behind the vulnerabilities in TCP/IP stacks, identifying the threats they pose to the extended enterprise, and how to mitigate those.