Amnesia:33 – Multiple Vulnerabilities in Open-Source TCP/IP Stacks

AMNESIA:33 is a study published by Forescout Research Labs under Project Memoria. The study consists of a report on 33 new vulnerabilities found in TCP/IP stacks used by multiple IoT, OT and IT device vendors.

AMNESIA:33 affects multiple open-source TCP/IP stacks, which means a single vulnerability tends to spread easily and silently across multiple codebases, development teams, companies and products. Vulnerable stacks are widely used in different IoT, OT and IT devices in different verticals, so it is difficult to assess the full impact of AMNESIA:33. Forescout estimates more than 150 vendors and millions of devices are vulnerable to AMNESIA:33.

Technical Details

AMNESIA:33 has four categories of potential impact:

  1. Remote code execution
  2. Denial of service (DoS via crash or infinite loop)
  3. Information leak
  4. DNS cache poisoning

Generally, these vulnerabilities can be exploited to take full control of a target device, impair its functionality, obtain potentially sensitive information, or inject malicious DNS records to point a device to an attacker-controlled domain.

The TCP/IP libraries affected by AMNESIA:33 are:

  • uIP (integrated into Continki)
  • FNET
  • picoTCP
  • Ethernut (Nut/Net)

Off the 33 vulnerabilities, four are critical with potential for remote code execution on certain devices.

CVE Details

CVE Vulnerability Type Affected Component Potential Impact CVSSv3.1
Score
CVE-2020-24336 Out-Of-Bounds Read DNS response
parsing in NAT64
RCE 9.8
CVE-2020-24338 Out-Of-Bounds Write DNS domain name decoding RCE 9.8
CVE-2020-25111 Out-Of-Bounds Write DNS domain name decoding/ DNS response processing RCE 9.8
CVE-2020-13987 Out-Of-Bounds Read TCP/UDP checksum
calculation in IPv4
DoS Infoleak 8.2
CVE-2020-17437 Out-Of-Bounds Write TCP packet
processing
DoS 8.2
CVE-2020-24334 Out-Of-Bounds Read DNS response processing DoS 8.2
CVE-2020-17443 Integer Overflow ICMPv6 echo request processing DoS 8.2
CVE-2020-24340 Out-Of-Bounds Read DNS response processing DoS Infoleak 8.2
CVE-2020-24341 Out-Of-Bounds Read TCP packet processing DoS Infoleak 8.2
CVE-2020-17467 Out-Of-Bounds Read LLMNR state machine Infoleak 8.2
CVE-2020-25109 Out-Of-Bounds Read DNS domain name decoding/ DNS response processing DoS 8.2
CVE-2020-25110 Out-Of-Bounds Read DNS domain name decoding/ DNS response processing DoS 8.2
CVE-2020-17439 Improper Input Validation DNS response processing DNS cache poisoning 8.1
CVE-2020-25112 Out-Of-Bounds Write ICMPv6 echo/reply processing RCE 8.1
CVE-2020-13984 Loop with Unreachable Exit Condition (‘Infinite Loop’) Ext. header parsing in IPv6 (6LoWPAN) DoS 7.5
CVE-2020-13985 Integer Wraparound Ext. header parsing in IPv6 DoS 7.5
CVE-2020-13986 Loop with Unreachable Exit Condition (‘Infinite Loop’) Ext. header parsing in IPv6 (6LoWPAN) DoS 7.5
CVE-2020-13988 Integer Overflow TCP options parsing in IPv4 DoS 7.5
CVE-2020-17440 Improper Null Termination DNS domain name
decoding
DoS 7.5
CVE-2020-24335 Out-Of-Bounds Read DNS domain name decoding DoS 7.5
CVE-2020-17441 Improper Input Validation Ext. header parsing in IPv6, ICMPv6 checksum DoS Infoleak 7.5
CVE-2020-17442 Integer Overflow Ext. header parsing in IPv6 DoS 7.5
CVE-2020-17444 Integer Overflow Ext. header parsing in IPv6 DoS 7.5
CVE-2020-17445 Out-Of-Bounds Read Ext. header parsing in IPv6 DoS 7.5
CVE-2020-24337 Loop with Unreachable Exit Condition (‘Infinite Loop’) TCP options parsing in IPv4 DoS 7.5
CVE-2020-24339 Out-Of-Bounds Read DNS domain name decoding DoS 7.5
CVE-2020-17468 Out-Of-Bounds Read Ext. header parsing in IPv6 DoS 7.5
CVE-2020-25107 Out-Of-Bounds Read DNS domain name decoding/ DNS response processing DoS 7.5
CVE-2020-25108 Out-Of-Bounds Write DNS domain name decoding/ DNS response processing DoS 7.5
CVE-2020-17438 Out-Of-Bounds Write Fragmented packet reassembly in IPv4 DoS 7
CVE-2020-24383 Improper Null Termination DNS domain name decoding DoS Infoleak 6.5
CVE-2020-17469 Out-Of-Bounds Read Fragmented packet reassembly in IPv6 DoS 5.9
CVE-2020-17470 Improper Input Validation DNS response processing DNS cache poisoning 4

As per the report published by Forescout Research Labs,

Four of the vulnerabilities in AMNESIA:33 are critical, with potential for remote code execution on certain devices. Exploiting these vulnerabilities could allow an attacker to take control of a device, thus using it as an entry point on a network for internet-connected devices, as a pivot point for lateral movement, as a persistence point on the target network or as the final target of an attack. For enterprise organizations, this means they are at increased risk of having their network compromised or having malicious actors undermine their business continuity. For consumers, this means that their IoT devices may be used as part of large attack campaigns, such as botnets, without them being aware.

Affected Libraries versions

  • uIP-Contiki-OS (end-of-life [EOL]), Version 3.0 and prior
  • uIP-Contiki-NG, Version 4.5 and prior
  • uIP (EOL), Version 1.0 and prior
  • open-iscsi, Version 2.1.12 and prior
  • picoTCP-NG, Version 1.7.0 and prior
  • picoTCP (EOL), Version 1.7.0 and prior
  • FNET, Version 4.6.3
  • Nut/Net, Version 5.1 and prior

PoC

Forescout’s researchers provided the PoC details for CVE-2020-25111 in their report, and no other PoC’s are available yet.

Mitigations

Forescout’s researchers identify some possible mitigating actions that asset owners and security operators can take to protect their networks from the TCP/IP vulnerabilities in AMNESIA:33 and also in other stacks:

  • Disable or block IPv6 traffic whenever it is not needed in the network.
  • Configure devices to rely on internal DNS servers as much as possible and closely monitor external DNS traffic.
  • Monitor all network traffic for malformed packets (for instance, having non-conforming field lengths or failing checksums) that try to exploit known vulnerabilities or possible 0-days.

Patched version

According to the report, the following patches are available for libraries –

  • FNET 4.7.0 and later
  • uIP-Contiki-NG 4.6.0 and later
  • Nut/Net 5.1 and later

CISA has released an ICS Advisory ICSA-20-343-01 to address AMNESIA:33.

Additional vendors affected by the AMNESIA:33 vulnerabilities have also released security advisories.

Detection

Qualys customers can scan their network with QID # 38819 to detect vulnerable assets. Please continue to follow on Qualys Threat Protection for more coverage on these vulnerabilities.

References and Sources

https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/

https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01

Leave a Reply

Your email address will not be published. Required fields are marked *