ADVISORY: TCP/IP stack vulnerabilities affect millions of devices

Thursday, December 10, 2020

The information below was sent to U-M IT groups on December 10, 2020.

Summary

A set of vulnerabilities, called Amnesia:33, has been discovered in four open source TCP/IP stacks. The most severe of these vulnerabilities could result in remote code execution. These are serious vulnerabilities that put U-M devices and the U-M networks to which they are exposed at risk.

TCP/IP stands for Transmission Control Protocol/ Internet Protocol. The TCP/IP stack is a set of communication protocols used in the transmission of data across the internet and between computers. The vulnerabilities impact enterprise and consumer Internet of Things (IoT) devices.

Problem

Multiple vulnerabilities (known as Amnesia:33) have been discovered in four open source TCP/IP stacks. The most severe of these vulnerabilities could result in remote code execution. The vulnerabilities may allow attackers to remotely compromise devices, execute malicious code, perform denial-of-service attacks, steal sensitive information, or inject malicious DNS records to point a device to an attacker-controlled domain.

Affected Systems

Open source TCP/IP stacks are used widely in Internet of Things (IoT) devices—including healthcare and industrial equipment, printers, routers, and more. According to the references listed below, the vulnerabilities affect more than 150 vendors and millions of enterprise and consumer IoT devices. They may be incorporated into embedded subsystems.

Action Items

To mitigate against these vulnerabilities for U-M devices, prioritize implementation of best practices:

  • Network access to U-M IoT devices.
    • Avoid exposing devices to inbound connections from the internet.
    • If inbound communication from the internet to the device is needed, put a layer of protection, such as a firewall or proxy, in place between the internet and the device.
    • Whenever possible, also isolate devices from other campus networks, especially devices that perform critical functions.
  • Device updates.
    • Watch for updates from vendors of devices that your unit uses.
    • Apply software and firmware updates to U-M devices as soon as possible after appropriate testing.

Threats

  • There are currently no reports of these vulnerabilities being exploited in the wild.
  • Proof-of-concept code is available for at least some of these vulnerabilities, so attacks are likely in the near future.
  • The vendor that publicized these vulnerabilities (Forescout) plans to continue its research, so more of these vulnerabilities may be made public fairly soon as that research progresses and more is discovered.
  • According to Forescout:
    • Enterprise organizations are at increased risk of having their network compromised or having malicious actors undermine their business continuity.
    • Consumer IoT devices are at risk of being used as part of large attack campaigns, such as those using botnets, without the consumer being aware.

Technical Details

According to Forescout, "AMNESIA:33 is a set of 33 vulnerabilities impacting four open source TCP/IP stacks (uIP, PicoTCP, FNET, and Nut/Net), which collectively serve as the foundational connectivity components of millions of devices around the world." Forescout summarized the vulnerabilities as follows:

  • AMNESIA:33 affects seven different components of the stacks (DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS). Two vulnerabilities in AMNESIA:33 only affect 6LoWPAN wireless devices.
  • AMNESIA:33 has four categories of potential impact: remote code execution (RCE), denial of service (DoS via crash or infinite loop), information leak (infoleak) and DNS cache poisoning. Four of the vulnerabilities allow for remote code execution.

For more detail, see Amnesia:33 – Forescout Research Labs Finds 33 New Vulnerabilities in Open Source TCP/IP Stacks (Forescout Technologies Inc., 12/7/20).

How We Protect U-M

  • ITS networking staff are exploring options for additional network protections from the vulnerabilities.
  • ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • IA provides vulnerability management guidance to the university.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact info-assurance@umich.edu.