Attacker Value
Low
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
6

Amnesia:33

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Amnesia:33 is a group of 33 vulnerabilities in open-source TCP/IP stack libraries. The vulnerabilities may be present in a wide range of operational technology, IoT, and connected device implementations.

Add Assessment

4
Ratings
  • Attacker Value
    Low
Technical Analysis

Sorta relying here on the fact that memory corruption vulns are difficult to weaponize or even trigger reliably, and it sounds like there will be lots of different implementations of the vulnerable libraries, so uniform attack surface area is going to be scarce. Rapid7’s IoT research lead noted as well that TCP stack issues like this may well require the attacker to be on same subnet, and it’s unlikely that upstream routers would accept unexpected/malformed packets. There’ll be lots of fragmented vendor advisories trickling out in bits, I’d expect. There may be more detail out on which to base assessments later this week.

General Information

Additional Info

Technical Analysis

On Monday, December 7, 2020, security firm Forescout published a technical paper with high-level details on a suite of vulnerabilities affecting four open-source TCP/IP stacks broadly used in operational technology (OT), Internet of Things (IoT), and other connected devices, such as printers, routers, and network switches. Forescout has dubbed the vulnerabilities collectively “Amnesia:33” and said that the flaws’ potential impacts vary. Denial of Service (DoS), remote code execution (RCE), information disclosure, and DNS cache poisoning are all listed as potential impacts of exploitation.

Four of the CVEs (CVE-2020-24338, CVE-2020-24336, CVE-2020-25111, and CVE-2020-25112) are highlighted as having the potential for remote code execution, but it is not clear as of December 8, 2020, whether Forescout has successfully tested exploitability or developed proof-of-concept code for the Amnesia:33 vulns. Prominent security community members have noted that the nature of open-source libraries whose use is spread across many devices and vendors (and whose code is extended or customized to fit different use cases) means that vulnerabilities like this have long tails, if they’re fixed at all.

Affected stacks

  • uIP
  • PicoTCP
  • FNET
  • Nut/Net

Affected components include DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS. Neither the CVEs nor the vulnerable components are mapped directly to the stack(s) they affect.

Rapid7 analysis

As with Ripple20 or URGENT/11, the Amnesia:33 group of vulnerabilities elicits understandable concern from organizations that rely on or build atop vulnerable stacks in embedded systems and connected devices. As of December 8, 2020, it’s not clear which flaws affect which stacks, so it may be a while yet before exposure and impact can be accurately assessed. While precise technical detail is lacking in Forescout’s marketing materials, the Amnesia:33 vulns are professed to be largely memory corruption vulnerabilities. These are notoriously difficult to trigger in a way that results in reliable remote code execution, and even more difficult for which to develop stable exploits at scale. Like Ripple20 and URGENT/11, it is unlikely that we will see wide-scale attacks or generic exploits for Amnesia:33.

Guidance

In general, library vulnerabilities can have far-reaching consequences, and it can be difficult to gauge the scope of the problem. The following tried-and-true practices will go a long way toward mitigating the potential impact of any software library vulnerabilities, including those that affect OT, ICS, and other critical environments:

  • Do not expose IoT/OT/ICS devices directly to a (hostile) internet, especially when those devices are built on difficult-to-determine versions of difficult-to-audit software.
  • Use traditional defense technologies like firewalls that drop all unexpected IPv6 and malformed IP traffic.
  • Segment networks to keep fragile devices like these contained in their own trusted networks.
  • Longer-term, initiatives that leverage a Software Bill of Materials (https://www.ntia.gov/SBOM) can also help IT and IT security teams keep tabs on the more exotic components of their infrastructure that have not benefited from rigorous quality assurance audits.