Monday, 14 December 2020 10:58

Forescout reveals widespread vulnerabilities affecting millions of devices globally

By

Guest Research: Forescout has revealed widespread vulnerabilities affecting millions of devices globally through its AMNESIA:33 study. The nature of these vulnerabilities across so many different devices, covering all aspects of business means that most organisations will be at risk. 

AMNESIA:33 is a set of 33 memory-corrupting vulnerabilities affecting four open-source TCP/IP stacks: uIP; FNET; picoTCP; and Nut/Net. These open-source stacks are not owned by a single company and are used across multiple codebases, development teams, companies and products. This presents significant challenges to patch management. As a result, Forescout has identified hundreds of vendors and millions of Internet of Things (IoT), Industrial IoT (IIoT), Internet of Medical Things (IoMT), operational technology (OT), and IT devices at risk worldwide.


The TCP/IP stacks affected by AMNESIA:33 can be found in operating systems for embedded devices, systems-on-a-chip, networking equipment, OT devices and a myriad of enterprise and consumer IoT devices such as:

  • IoT devices: cameras; environmental sensors (e.g., temperature, humidity); smart lights; smart plugs; barcode readers; specialised printers; retail audio systems; and healthcare devices
  • building automation systems: physical access control; fire and smoke alarms; energy meters; batteries; and heating, ventilation and air conditioning (HVAC) systems
  • industrial control systems: physical access control; and fire and smoke alarms.
  • IT: printers; switches; and wireless access points.


TCP/IP stacks are critical components of all IP-connected devices, including IoT and OT, since they enable basic network communication. A security flaw in a TCP/IP stack can be extremely dangerous because the code in these components may be used to process every incoming network packet that reaches a device. This means that some vulnerabilities in a TCP/IP stack let a device be exploited simply by being connected to a network and powered on. 

Many of the vulnerabilities reported within AMNESIA:33 arise from bad software development practices, such as an absence of basic input validation. They relate mostly to memory corruption and can cause a denial of service, information leaks or remote code execution.

Four of the vulnerabilities in AMNESIA:33 are critical, with potential for remote code execution on certain devices. Exploiting these vulnerabilities could let an attacker take control of a device, using it as an entry point on a network (for internet-connected devices), as a pivot point for lateral movement, as a persistence point on the target network, or as the final target of an attack. 
This means enterprise organisations are at increased risk of having their network compromised, or having malicious actors undermining their business continuity. 

Greg Clark, CEO, Forescout, said, “Over the last several years, we’ve seen an escalation in attacks leveraging connected devices. What the world is just beginning to understand though is that traditional IT devices represent only the tip of the iceberg when it comes to cyber risk and that the proliferation of unagentable IoT, OT and other connected devices will create a potentially far greater attack surface. 

“The nature of vulnerabilities like AMNESIA:33 fundamentally changes our understanding of the risks posed by connected devices. Organisations are only as strong as their weakest link, and executives and boards of directors have a responsibility to understand the full spectrum of the attack surface all the way down to the supply chain level, as they deploy controls to buy-down the risk of network compromise or ensure business continuity.   

“Given the widespread nature of these vulnerabilities and the difficulty in remedying them at scale, it is only a matter of time before they are exploited. Organisations must ready themselves before that time comes or else knowingly leave themselves open to attack.” 

Steve Hunter, senior director, systems engineering – Asia Pacific & Japan, Forescout, said, “This research highlights that potentially any network-connected device in the world may have inherent vulnerabilities as part of its code that could lead to significant security breaches if those vulnerabilities are weaponised by hackers. Even traditional home devices pose a risk for organisations with the new normal being the distributed workforce. This potentially opens a new access path to corporate assets through home devices that have these types of vulnerabilities. 

“The reality is, once hackers realise the potential here and exploits are developed, we will see a spike in attacks on these devices. These types of vulnerabilities are now pervasive across the enterprise and we will continue to find more examples in existing and unpatchable devices as well as in the new devices being added to networks to enable new applications. 

“AMNESIA:33 also raises broader questions around due diligence, ethics and a sense of responsibility when it comes to the manufacture and supply of these devices. It’s time for the industry as whole to step in to address these issues and collaborate on a framework or set of standards that will assist with the design and manufacturing of devices to prevent these inherent vulnerabilities being widely accepted and distributed around the globe.” 

Due to the complexity of identifying and patching vulnerable devices, vulnerability management for TCP/IP stacks is becoming a challenge for the security community. Forescout recommends adopting solutions that provide granular device visibility and the ability to monitor network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities.

AMNESIA:33 is the first study under Project Memoria, an initiative launched by Forescout Research Labs that aims at providing the community with the largest study on the security of TCP/IP stacks. Project Memoria’s goal is to develop the understanding of common bugs behind the vulnerabilities in TCP/IP stacks, identifying the threats they pose to the extended enterprise, and how to mitigate those. 

To download the full report visit. 


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments