Vulnerabilities in open source TCP/IP could affect millions of devices, Forescout researchers say

Thirty-three vulnerabilities in four open-source TCP/IP stacks may affect the security of millions of internet-connected devices from 150 manufacturers, according to researchers from Forescout. The report means IT administrators have to be on the lookout for security updates from vendors who use open source stacks.

Collectively dubbed Amnesia:33, the company said in a report issued Monday that the vulnerabilities in the stacks —  uIP, PicoTCP, FNET, and Nut/Net — could allow remote code execution (RCE), denial of service (DoS via crash or infinite loop), information leak (infoleak) and DNS cache poisoning.

Within those stacks seven different components (DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS) are affected. Two vulnerabilities only affect 6LoWPAN wireless devices.

With remote code execution an attacker could take control of an internet-connected device and use it as a pivot point for lateral movement, as a persistence point on the target network or as the final target of an attack, the report points out.

“For enterprise organizations, this means they are at increased risk of having their network compromised or having malicious actors undermining their business continuity. For consumers, this means that their IoT devices may be used as part of large attack campaigns, such as botnets, without them being aware,” Forescout said. “It is difficult to assess the full impact of Amnesia:33 because the vulnerable stacks are widely spread (across diverse IoTOT and IT devices in different verticals), highly modular (with several combinations of enabled features and settings) and often incorporated in embedded components, such as systems-on-a-chip (SoCs), that are later used by device manufacturers. For the same reasons, these vulnerabilities tend to be very hard to eradicate.”

The report suggests a huge range of products that could be affected including environmental sensors (e.g., temperature, humidity), smart lights, smart plugs, barcode readers, specialized printers, and audio systems for retail, industrial control systems (including RTUs, protocol gateways and serial-to-Ethernet gateways) and IT equipment (printers, switches and wireless access points).

Forescout has shared its findings with co-ordinating agencies (such as the ICS-CERT and the CERT/CC), which have contacted the identified vendors. Some have already confirmed the vulnerabilities and issued their patches, the report says, but several are still investigating.

This isn’t the first group of weaknesses found in TCP/IP  stacks recently, the report notes. Studies that have resulted in the discoveries of the Ripple20 vulnerabilities on the Treck TCP/IP stack that affected millions of devices and the Bad Neighbor vulnerability on the ICMPv6 component of the Windows TCP/IP stack.

Forescout urges CIOs/CISOs to:

  • Assess your risk: Organizations should perform a thorough risk assessment before deploying mitigations;
  • Patch when possible: The best mitigation is to identify and patch vulnerable devices. However, this is easier said than done because:
    • Patches may not be available for an embedded component from the IoT or OT device vendor
    • Patching an embedded component directly may void the device manufacturer’s warranty
    • A device may be part of a mission-critical function or high-availability business operation and may not be patchable until a scheduled maintenance window at a future time.
  • Segment to mitigate risk: For IoT and OT devices that cannot be patched, use segmentation to minimize their network exposure and likelihood of compromise;
  • Disable or block IPv6 traffic: Since several vulnerabilities in Amnesia:33 are related to IPv6 components, disable or block IPv6 traffic whenever it is not needed in the network;
  • Rely on internal DNS servers: Configure devices to rely on internal DNS servers whenever possible and closely monitor external DNS traffic, as several vulnerabilities in Amnesia:33 are related to DNS clients, which require a malicious DNS server to reply with malicious packets;
  • Monitor for malformed packets.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now