{"id":18028,"date":"2021-01-06T23:23:35","date_gmt":"2021-01-06T23:23:35","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=18028"},"modified":"2023-03-29T16:52:06","modified_gmt":"2023-03-29T16:52:06","slug":"tcp-ip-vulnerabilities-expose-iot-ot-systems","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/tcp-ip-vulnerabilities-expose-iot-ot-systems\/","title":{"rendered":"New TCP\/IP Vulnerabilities Expose IoT, OT Systems"},"content":{"rendered":"

Forescout Research Labs last month released a 14-page <\/span>white paper <\/span><\/a>and a 47-page <\/span>research report<\/span><\/a> detailing 33 vulnerabilities affecting millions of Internet of Things (IoT), Operational Technology (OT), and IT devices. Dubbed AMNESIA:33, these newly identified vulnerabilities include four broadly used TCP\/IP stacks and have left more than 150 vendors potentially compromised.<\/span><\/p>\n

Forescout’s findings are the first published study under Project Memoria, an initiative to understand the flaws and threats rooted in TCP\/IP stacks for organizations. <\/span>Malicious actors<\/span><\/a> familiar with the vulnerabilities can use a number of devices to gain access, move laterally within networks, and cause extensive damage. Because AMNESIA:33 affects an expansive code network with deeply embedded subsystems, the task of identifying and <\/span>patching<\/span><\/a> vulnerable devices for your organization is as daunting as it is essential.<\/span><\/p>\n

This article will touch on TCP\/IP stacks’ role in network security, the critical vulnerabilities identified by Forescout, and immediate steps to mitigate AMNESIA:33 attacks.<\/span><\/p>\n

Also Read: <\/b>How to Build & Run a Threat Hunting Program<\/b><\/a><\/p>\n

TCP\/IP: Ubiquitous and insecure<\/span><\/h2>\n

The communication protocols used in internet-capable devices are commonly known as TCP\/IP stacks, short for Transmission Control Protocol (TCP) and Internet Protocol (IP). Their implementation within networks dates back to the beginning of modern computing and still serves as a fundamental component of most devices, so they are ubiquitous – and more exploitable than imagined.<\/span><\/p>\n

Today, TCP\/IP stacks exist as automated applications on almost every computing platform. The set of rules TCP and IP enable control <\/span>how packets move<\/span><\/a> between devices. TCP manages the secure transportation of identified packets across internet-connected networks, while IP authorizes the specific destination of packets. The four TCP\/IP protocol layers are the link layer, <\/span>internet layer<\/span>, transport layer, and application layer. While the latter two layers are most familiar to IT professionals managing <\/span>network security<\/span><\/a>, the TCP\/IP model’s roots in the deeper layers make AMNESIA:33 so dangerous.<\/span><\/p>\n

Project Memoria<\/span><\/h2>\n

Last August, Forescout collaborated with JSOF in reporting on the <\/span>Ripple20 disclosure<\/span><\/a>. When this research showed that TCP\/IP security bugs weren’t limited to a few vendor-specific stacks, Project Memoria was launched to expand the study of these vulnerabilities. Before AMNESIA:33, news of 19 vulnerabilities impacting hundreds of millions of devices in the Trek TCP\/IP stack, dubbed Ripple20, was the most reported to date.<\/span><\/p>\n

As to why Project Memoria focuses on TCP\/IP security, the answer is simple: the implementation of open source software often includes embedded TCP\/IP stacks that users rarely notice.<\/span><\/p>\n

The thirty-three newly identified flaws collectively dubbed AMNESIA:33 nearly equal the sum of similar vulnerabilities discovered since 2013.<\/span><\/p>\n

Also Read: 5 Essential IoT Security Best Practices<\/a><\/strong><\/p>\n

Affected TCP\/IP stacks<\/span><\/h2>\n

For their analysis, Forescout selected a sample of seven open source embedded TCP\/IP stacks, all used or supported by popular open source RTOS (real-time operating systems). With a combination of automated fuzzing based on libFuzzer and <\/span>static analysis<\/span><\/a> based on Joern code, four of the seven stacks presented vulnerabilities: uIP, picoTCP, FNET, and Nut\/Net. Fuzzing found 11 vulnerabilities between uIP and picoTCP, while the remaining 22 vulnerabilities were split between the four stacks.<\/span><\/p>\n

Forescout’s research touches on each vulnerability and its affected components, <\/span>anti-patterns<\/span>, exploitability, and potential impact. Stack components impacted include DNS, IPv6, IPv4, TCP, ICMP, LLMNR, and mDNS. Forescout found <\/span>DNS<\/span><\/a> to be the most vulnerable due to its complexity, with TCP and IPv4 and IPv6 sub-stacks not far behind.<\/span><\/p>\n

The 33 stack vulnerabilities amount to 38 potential impacts to organizations, with a handful of vulnerabilities giving actors multiple options. The breakdown of the possible attacks rooted in AMNESIA:33 are:<\/span><\/p>\n