Researchers at Forescout Technologies have identified 33 security vulnerabilities in four open source TCP/IP stacks (uIP, PicoTCP, FNET, and Nut/Net) that have been used in millions of devices around the world.
The details of the vulnerabilities, which Forescout is calling AMNESIA:33, will be are discussed at the Black Hat Europe 2020 conference.
AMNESIA:33 affects seven different components of the stacks (DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS). Two vulnerabilities in AMNESIA:33 only affect 6LoWPAN wireless devices, says Daniel dos Santos, a researcher at Forescout.
These cover remote code execution (RCE), denial of service (DoS via crash or infinite loop), information leak (infoleak) and DNS cache poisoning. Four of the vulnerabilities allow for remote code execution.
Generally, these vulnerabilities can be exploited to take full control of a target device (RCE), impair its functionality (DoS), obtain potentially sensitive information (infoleak) or inject malicious DNS records to point a device to an attacker-controlled domain (DNS cache poisoning). However, different devices may be affected differently by the vulnerabilities depending on how a stack is used.
More than 150 vendors and millions of devices are likely vulnerable to AMNESIA:33, says dos Santos. The findings have been shared with agencies such as ICS-CERT and the CERT/CC which have contacted the identified vendors. Some vendors have already confirmed the vulnerabilities and issued their patches, but several are still investigating.
The vulnerabilities were discovered as part of Project Memoria which is studying the security of TCP/IP stacks.
Exploiting the AMNESIA:33 vulnerabilities could allow an attacker to take control of a device, thus using it as an entry point on a network (for Internet-connected devices), as a pivot point for lateral movement, as a persistence point on the target network or as the final target of an attack.
It is difficult to assess the full impact of AMNESIA:33 because the vulnerable stacks are widely spread across diverse IoT, embedded and enterprise IT systems and are often incorporated in embedded components, such as systems-on-a-chip (SoCs).