Low
Amnesia:33
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Low
(1 user assessed)Unknown
(1 user assessed)Unknown
Unknown
Unknown
Amnesia:33
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Amnesia:33 is a group of 33 vulnerabilities in open-source TCP/IP stack libraries. The vulnerabilities may be present in a wide range of operational technology, IoT, and connected device implementations.
Add Assessment
Ratings
-
Attacker ValueLow
Technical Analysis
Sorta relying here on the fact that memory corruption vulns are difficult to weaponize or even trigger reliably, and it sounds like there will be lots of different implementations of the vulnerable libraries, so uniform attack surface area is going to be scarce. Rapid7’s IoT research lead noted as well that TCP stack issues like this may well require the attacker to be on same subnet, and it’s unlikely that upstream routers would accept unexpected/malformed packets. There’ll be lots of fragmented vendor advisories trickling out in bits, I’d expect. There may be more detail out on which to base assessments later this week.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
On Monday, December 7, 2020, security firm Forescout published a technical paper with high-level details on a suite of vulnerabilities affecting four open-source TCP/IP stacks broadly used in operational technology (OT), Internet of Things (IoT), and other connected devices, such as printers, routers, and network switches. Forescout has dubbed the vulnerabilities collectively “Amnesia:33” and said that the flaws’ potential impacts vary. Denial of Service (DoS), remote code execution (RCE), information disclosure, and DNS cache poisoning are all listed as potential impacts of exploitation.
Four of the CVEs (CVE-2020-24338, CVE-2020-24336, CVE-2020-25111, and CVE-2020-25112) are highlighted as having the potential for remote code execution, but it is not clear as of December 8, 2020, whether Forescout has successfully tested exploitability or developed proof-of-concept code for the Amnesia:33 vulns. Prominent security community members have noted that the nature of open-source libraries whose use is spread across many devices and vendors (and whose code is extended or customized to fit different use cases) means that vulnerabilities like this have long tails, if they’re fixed at all.
Affected stacks
- uIP
- PicoTCP
- FNET
- Nut/Net
Affected components include DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS. Neither the CVEs nor the vulnerable components are mapped directly to the stack(s) they affect.
Rapid7 analysis
As with Ripple20 or URGENT/11, the Amnesia:33 group of vulnerabilities elicits understandable concern from organizations that rely on or build atop vulnerable stacks in embedded systems and connected devices. As of December 8, 2020, it’s not clear which flaws affect which stacks, so it may be a while yet before exposure and impact can be accurately assessed. While precise technical detail is lacking in Forescout’s marketing materials, the Amnesia:33 vulns are professed to be largely memory corruption vulnerabilities. These are notoriously difficult to trigger in a way that results in reliable remote code execution, and even more difficult for which to develop stable exploits at scale. Like Ripple20 and URGENT/11, it is unlikely that we will see wide-scale attacks or generic exploits for Amnesia:33.
Guidance
In general, library vulnerabilities can have far-reaching consequences, and it can be difficult to gauge the scope of the problem. The following tried-and-true practices will go a long way toward mitigating the potential impact of any software library vulnerabilities, including those that affect OT, ICS, and other critical environments:
- Do not expose IoT/OT/ICS devices directly to a (hostile) internet, especially when those devices are built on difficult-to-determine versions of difficult-to-audit software.
- Use traditional defense technologies like firewalls that drop all unexpected IPv6 and malformed IP traffic.
- Segment networks to keep fragile devices like these contained in their own trusted networks.
- Longer-term, initiatives that leverage a Software Bill of Materials (https://www.ntia.gov/SBOM) can also help IT and IT security teams keep tabs on the more exotic components of their infrastructure that have not benefited from rigorous quality assurance audits.
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: