Several sets of internet communication protocols used by major vendors of connected products have vulnerabilities that could affect millions of devices, researchers revealed on Tuesday.
Four of the vulnerabilities are critical, meaning attackers could use them to remotely take over devices ranging from a “smart” refrigerator to an industrial networking switch in the electrical grid, according to the security vendor Forescout. The flaws exist in information technology, operational technology and so-called internet of things products.
The Forescout study, dubbed AMNESIA:33, focuses on 33 vulnerabilities in four open-source TCP/IP stacks. TCP/IP stands for “Transmission Control Protocol/Internet Protocol,” which is used to communicate between computers. Open-source TCP/IP stacks serve as the foundational connectivity components of devices around the world. (A TCP/IP stack is an implementation of the TCP/IP protocol.)
It marks the second time this year that a set of TCP/IP stack vulnerabilities emerged that could affect a large number of devices. Both the nature of the AMNESIA:33 vulnerabilities and the open-source element of those TCP/IP stacks makes the latest discoveries especially troublesome, researchers said.
Forescout did not suggest hackers had exploited any of the vulnerabilities. If attackers leveraged the flaws, though, they could access data or functionality on an affected device, depending on the product.
“A security flaw in a TCP/IP stack can be extremely dangerous because the code in these components may be used to process every incoming network packet that reaches a device,” the report says. “This means that some vulnerabilities in a TCP/IP stack allow for a device to be exploited, even when it simply sits on a network without running a specific application.”
And because the TCP/IP stacks are open source, they “are not owned by a single company,” Forescout said, which “means that a single vulnerability tends to spread easily and silently across multiple codebases, development teams, companies and products, which presents significant challenges to patch management.” Forescout estimates that 150 information technology, operational technology and IoT vendors are vulnerable to AMNESIA:33, though the full extent is hard to know with any confidence.
“Being open source, actually these vulnerable stacks are used in a myriad of different devices, by different vendors,” said Elisa Costante, a lead researcher for Forescout’s Project Memoria, a larger study of TCP/IP stack vulnerabilities for which AMNESIA:33 is the first report.
Forescout worked with Germany’s cyberdefense agency BSI to coordinate the disclosure, as well as several computer emergency response team organizations: the CERT Coordination Center, the ICS-CERT and the JPCERT Coordination Center. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is issuing an alert about the vulnerabilities.
Awais Rashid, a professor of cybersecurity at the University of Bristol who was briefed on the report, was struck by the range of potential effects. “Depending on the context of use there, the application could be more or less severe,” he said.
A home user having a device hit by a denial of service attack would have minimal impact. But the same wouldn’t apply to home building management software that controls ventilation.
“If those systems could be exploitable, then there are of course serious implications,” he said.