On Monday, December 7, 2020, security firm Forescout published a technical paper with high-level details on a suite of vulnerabilities affecting four open-source TCP/IP stacks broadly used in operational technology (OT), Internet of Things (IoT), and other connected devices, such as printers, routers, and network switches. Forescout has dubbed the vulnerabilities collectively “Amnesia:33” and said that the flaws’ potential impacts vary. Denial of Service (DoS), remote code execution (RCE), information disclosure, and DNS cache poisoning are all listed as potential impacts of exploitation.

Four of the CVEs (CVE-2020-24338, CVE-2020-24336, CVE-2020-25111, and CVE-2020-25112) are highlighted as having the potential for remote code execution, but it is not clear as of December 8, 2020, whether Forescout has successfully tested exploitability or developed proof-of-concept code for the Amnesia:33 vulns. Prominent security community members have noted that the nature of open-source libraries whose use is spread across many devices and vendors (and whose code is extended or customized to fit different use cases) means that vulnerabilities like this have long tails, if they’re fixed at all.

Affected stacks

• uIP
  
• PicoTCP
  
• FNET
  
• Nut/Net
  

Affected components include DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS. Neither the CVEs nor the vulnerable components are mapped directly to the stack(s) they affect.

Rapid7 analysis

As with Ripple20 or URGENT/11, the Amnesia:33 group of vulnerabilities elicits understandable concern from organizations that rely on or build atop vulnerable stacks in embedded systems and connected devices. As of December 8, 2020, it’s not clear which flaws affect which stacks, so it may be a while yet before exposure and impact can be accurately assessed. While precise technical detail is lacking in Forescout’s marketing materials, the Amnesia:33 vulns are professed to be largely memory corruption vulnerabilities. These are notoriously difficult to trigger in a way that results in reliable remote code execution, and even more difficult for which to develop stable exploits at scale. Like Ripple20 and URGENT/11, it is unlikely that we will see wide-scale attacks or generic exploits for Amnesia:33.

Guidance

In general, library vulnerabilities can have far-reaching consequences, and it can be difficult to gauge the scope of the problem. The following tried-and-true practices will go a long way toward mitigating the potential impact of any software library vulnerabilities, including those that affect OT, ICS, and other critical environments:

• Do not expose IoT/OT/ICS devices directly to a (hostile) internet, especially when those devices are built on difficult-to-determine versions of difficult-to-audit software.
  
• Use traditional defense technologies like firewalls that drop all unexpected IPv6 and malformed IP traffic.
  
• Segment networks to keep fragile devices like these contained in their own trusted networks.
  
• Longer-term, initiatives that leverage a Software Bill of Materials (https://www.ntia.gov/SBOM) can also help IT and IT security teams keep tabs on the more exotic components of their infrastructure that have not benefited from rigorous quality assurance audits.