Forescout has revealed widespread vulnerabilities affecting millions of devices globally including IoT devisers such as cameras or environmental sensors, building automation systems, industrial control systems, and common IT devices like printers.
The results are contained in Forescout’s AMNESIA:33 study. The nature of these vulnerabilities across so many different devices, covering all aspects of business means that most organizations will be at risk.
The study is the first under Project Memoria, an initiative launched by Forescout Research Labs that aims at providing the community with the largest study on the security of TCP/IP stacks. Project Memoria’s goal is to develop the understanding of common bugs behind the vulnerabilities in TCP/IP stacks, identifying the threats they pose to the extended enterprise, and how to mitigate those.
AMNESIA:33 is a set of 33 memory-corrupting vulnerabilities affecting four open-source communication protocols used by the Internet. These TCP/IP stacks are uIP; FNET; picoTCP; and Nut/Net. These open-source stacks are not owned by a single company and are used across multiple codebases, development teams, companies and products.
This presents significant challenges to patch management. As a result, Forescout has identified hundreds of vendors and millions of Internet of Things (IoT), Industrial IoT (IIoT), Internet of Medical Things (IoMT), operational technology (OT), and IT devices at risk worldwide.
According to Rody Quinlan, Research Engineer, Security Response at Tenable, “AMNESIA:33, aptly named given the root cause for the majority of the 33 vulnerabilities resides in memory, are concerning. They potentially affect millions of Operational Technology (OT), Internet of Things (IoT) and IT devices, including multiple remote code execution (RCE) flaws. This means attackers could execute code and gain full control over the devices.
“When OT infrastructure is vulnerable there is always concern, particularly as the uptime and security of these systems is essential to our way of life. If exploited, the implications could be far reaching. The list of vendors with advisories is currently quite small, but with over 150 suspected to be affected, this is expected to grow in the coming days and weeks,” Quinlan said.
“The libraries impacted by AMNESIA:33 are used in devices ranging from consumer IoT, such as smart home systems, to commercial HVAC and power monitoring devices. This has implications to anything that needs to be handled, transported, or stored at a specific temperature or automated systems used to monitor and maintain safe power loads.
“AMNESIA:33 follows in the footsteps of Ripple20 and URGENT/11 . Ripple20 is a set of 19 vulnerabilities in the TCP/IP library created by Treck, while URGENT/11 is a set of 11 vulnerabilities in VxWorks, a Real-Time Operating System (RTOS). Like AMNESIA:33, Ripple20 and URGENT/11 each reportedly affected millions of OT, IoT and IT devices.
“Given a proof of concept is available for one of the RCE vulnerabilities, it’s likely attacks are imminent. It’s imperative organisations take immediate action to determine if systems are vulnerable, and take steps to reduce the impact before any attacks, by applying the updates and remediative action where patches aren’t available.”
According to the Forescout report, the TCP/IP stacks affected by AMNESIA:33 can be found in operating systems for embedded devices, systems-on-a-chip, networking equipment, OT devices and a myriad of enterprise and consumer IoT devices such as:
- IoT devices: cameras; environmental sensors (e.g., temperature, humidity); smart lights; smart plugs; barcode readers; specialised printers; retail audio systems; and healthcare devices
- building automation systems: physical access control; fire and smoke alarms; energy meters; batteries; and heating, ventilation and air conditioning (HVAC) systems
- industrial control systems: physical access control; and fire and smoke alarms.
- IT: printers; switches; and wireless access points.
TCP/IP stacks are critical components of all IP-connected devices, including IoT and OT, since they enable basic network communication. A security flaw in a TCP/IP stack can be extremely dangerous because the code in these components may be used to process every incoming network packet that reaches a device. This means that some vulnerabilities in a TCP/IP stack let a device be exploited simply by being connected to a network and powered on.
Many of the vulnerabilities reported within AMNESIA:33 arise from bad software development practices, such as an absence of basic input validation. They relate mostly to memory corruption and can cause denial of service, information leaks or remote code execution.
Four of the vulnerabilities in AMNESIA:33 are critical, with potential for remote code execution on certain devices. Exploiting these vulnerabilities could let an attacker take control of a device, using it as an entry point on a network (for internet-connected devices), as a pivot point for lateral movement, as a persistence point on the target network, or as the final target of an attack.
This means enterprise organisations are at increased risk of having their network compromised, or having malicious actors undermining their business continuity.“Over the last several years, we’ve seen an escalation in attacks leveraging connected devices. What the world is just beginning to understand though is that traditional IT devices represent only the tip of the iceberg when it comes to cyber risk and that the proliferation of unagentable IoT, OT and other connected devices will create a potentially far greater attack surface,” said Greg Clark, CEO, Forescout.
“The nature of vulnerabilities like AMNESIA:33 fundamentally changes our understanding of the risks posed by connected devices. Organisations are only as strong as their weakest link, and executives and boards of directors have a responsibility to understand the full spectrum of the attack surface all the way down to the supply chain level, as they deploy controls to buy-down the risk of network compromise or ensure business continuity.”
Clark said, “Given the widespread nature of these vulnerabilities and the difficulty in remedying them at scale, it is only a matter of time before they are exploited. Organisations must ready themselves before that time comes or else knowingly leave themselves open to attack.”
Steve Hunter, senior director, systems engineering – Asia Pacific & Japan, Forescout, said, “This research highlights that potentially any network-connected device in the world may have inherent vulnerabilities as part of its code that could lead to significant security breaches if those vulnerabilities are weaponised by hackers.”
According to Hunter, even traditional home devices pose a risk for organisations with the new normal being the distributed workforce. This potentially opens a new access path to corporate assets through home devices that have these types of vulnerabilities.
“The reality is, once hackers realise the potential here and exploits are developed, we will see a spike in attacks on these devices. These types of vulnerabilities are now pervasive across the enterprise and we will continue to find more examples in existing and unpatchable devices as well as in the new devices being added to networks to enable new applications,” he said.
“AMNESIA:33 also raises broader questions around due diligence, ethics and a sense of responsibility when it comes to the manufacture and supply of these devices. It’s time for the industry as whole to step in to address these issues and collaborate on a framework or set of standards that will assist with the design and manufacturing of devices to prevent these inherent vulnerabilities being widely accepted and distributed around the globe.”
Due to the complexity of identifying and patching vulnerable devices, vulnerability management for TCP/IP stacks is becoming a challenge for the security community. Forescout recommends adopting solutions that provide granular device visibility and the ability to monitor network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities.