The issues may never be fixed for all devices
Why it matters: Gartner estimates that over 80 percent of all organizations currently use the Internet of Things to solve business use cases, and one in five has suffered a serious attack in the past three years. Most of these companies use equipment that is affected by at least 33 newly-discovered vulnerabilities, most of which will likely never be fixed due to various reasons.
Earlier this year, security researchers found that millions of IoT and surveillance devices powered by HiSilicon chips have a trivial backdoor that is unlikely to get a fix anytime soon as parent company Huawei has little control over third-party firmware implementations.
Today, a new report from Forescout Research Labs revealed that a new series of vulnerabilities will impact devices from over 150 vendors. Collectively dubbed “Amnesia:33”, the flaws affect four open-source TCP/IP stacks, specifically: uIP, picoTCP, FNET, and Nut/Net. By far the most vulnerable is uIP, which happens to be used by most vendors on the list.
The number of potentially impacted devices is huge, as it includes wearables, smartphones, game consoles, printers, routers, switches, IP cameras, uninterruptible power supplies, HVAC systems, self-checkout kiosks, ATMs, barcode readers, single-board computers like the Raspberry Pi, smart home appliances and sensors, servers, and many other consumer, enterprise, and industrial devices.
If exploited, the 33 vulnerabilities allow attackers to perform a wide range of malicious attacks such as denial of service (DoS), remote code execution (RCE), DNS cache poisoning to redirect to a malicious domain, and information leak to acquire sensitive information.
Forescout researchers had previously uncovered 20 vulnerabilities in the Treck TCP/IP stack dubbed Ripple20, which were eventually fixed by the Cincinnati-based software company. However, the Amnesia:33 vulnerabilities affect open source libraries used in a myriad of devices from a variety of different companies, which makes them much more difficult to fix. Five of the flaws have been around for 20 years, and many of the affected devices use chips from a rich ecosystem of third party silicon vendors, many of which offer little documentation and some of which are no longer in business.
Forescout has been working with Germany cyberdefense agency BSI, the CERT Coordination Center, ICS-CERT, JPCERT, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to coordinate the issuing of alerts about Amnesia:33.
In the meantime, the researcher lab explains that organizations can mitigate risks by patching where possible, monitoring for malformed packets, relying on internal DNS servers, blocking or disabling IPv6 traffic, and segmenting and zoning to minimize the impact in case a device has been compromised to get deeper access.