AMNESIA:33 is a study published by Forescout Research Labs under Project Memoria. The study consists of a report on 33 new vulnerabilities found in TCP/IP stacks used by multiple IoT, OT and IT device vendors.
AMNESIA:33 affects multiple open-source TCP/IP stacks, which means a single vulnerability tends to spread easily and silently across multiple codebases, development teams, companies and products. Vulnerable stacks are widely used in different IoT, OT and IT devices in different verticals, so it is difficult to assess the full impact of AMNESIA:33. Forescout estimates more than 150 vendors and millions of devices are vulnerable to AMNESIA:33.
AMNESIA:33 has four categories of potential impact:
- Remote code execution
- Denial of service (DoS via crash or infinite loop)
- Information leak
- DNS cache poisoning
Generally, these vulnerabilities can be exploited to take full control of a target device, impair its functionality, obtain potentially sensitive information, or inject malicious DNS records to point a device to an attacker-controlled domain.
The TCP/IP libraries affected by AMNESIA:33 are:
- uIP (integrated into Continki)
- Ethernut (Nut/Net)
Off the 33 vulnerabilities, four are critical with potential for remote code execution on certain devices.
|CVE||Vulnerability Type||Affected Component||Potential Impact||CVSSv3.1
|CVE-2020-24336||Out-Of-Bounds Read||DNS response
parsing in NAT64
|CVE-2020-24338||Out-Of-Bounds Write||DNS domain name decoding||RCE||9.8|
|CVE-2020-25111||Out-Of-Bounds Write||DNS domain name decoding/ DNS response processing||RCE||9.8|
|CVE-2020-13987||Out-Of-Bounds Read||TCP/UDP checksum
calculation in IPv4
|CVE-2020-17437||Out-Of-Bounds Write||TCP packet
|CVE-2020-24334||Out-Of-Bounds Read||DNS response processing||DoS||8.2|
|CVE-2020-17443||Integer Overflow||ICMPv6 echo request processing||DoS||8.2|
|CVE-2020-24340||Out-Of-Bounds Read||DNS response processing||DoS Infoleak||8.2|
|CVE-2020-24341||Out-Of-Bounds Read||TCP packet processing||DoS Infoleak||8.2|
|CVE-2020-17467||Out-Of-Bounds Read||LLMNR state machine||Infoleak||8.2|
|CVE-2020-25109||Out-Of-Bounds Read||DNS domain name decoding/ DNS response processing||DoS||8.2|
|CVE-2020-25110||Out-Of-Bounds Read||DNS domain name decoding/ DNS response processing||DoS||8.2|
|CVE-2020-17439||Improper Input Validation||DNS response processing||DNS cache poisoning||8.1|
|CVE-2020-25112||Out-Of-Bounds Write||ICMPv6 echo/reply processing||RCE||8.1|
|CVE-2020-13984||Loop with Unreachable Exit Condition (‘Infinite Loop’)||Ext. header parsing in IPv6 (6LoWPAN)||DoS||7.5|
|CVE-2020-13985||Integer Wraparound||Ext. header parsing in IPv6||DoS||7.5|
|CVE-2020-13986||Loop with Unreachable Exit Condition (‘Infinite Loop’)||Ext. header parsing in IPv6 (6LoWPAN)||DoS||7.5|
|CVE-2020-13988||Integer Overflow||TCP options parsing in IPv4||DoS||7.5|
|CVE-2020-17440||Improper Null Termination||DNS domain name
|CVE-2020-24335||Out-Of-Bounds Read||DNS domain name decoding||DoS||7.5|
|CVE-2020-17441||Improper Input Validation||Ext. header parsing in IPv6, ICMPv6 checksum||DoS Infoleak||7.5|
|CVE-2020-17442||Integer Overflow||Ext. header parsing in IPv6||DoS||7.5|
|CVE-2020-17444||Integer Overflow||Ext. header parsing in IPv6||DoS||7.5|
|CVE-2020-17445||Out-Of-Bounds Read||Ext. header parsing in IPv6||DoS||7.5|
|CVE-2020-24337||Loop with Unreachable Exit Condition (‘Infinite Loop’)||TCP options parsing in IPv4||DoS||7.5|
|CVE-2020-24339||Out-Of-Bounds Read||DNS domain name decoding||DoS||7.5|
|CVE-2020-17468||Out-Of-Bounds Read||Ext. header parsing in IPv6||DoS||7.5|
|CVE-2020-25107||Out-Of-Bounds Read||DNS domain name decoding/ DNS response processing||DoS||7.5|
|CVE-2020-25108||Out-Of-Bounds Write||DNS domain name decoding/ DNS response processing||DoS||7.5|
|CVE-2020-17438||Out-Of-Bounds Write||Fragmented packet reassembly in IPv4||DoS||7|
|CVE-2020-24383||Improper Null Termination||DNS domain name decoding||DoS Infoleak||6.5|
|CVE-2020-17469||Out-Of-Bounds Read||Fragmented packet reassembly in IPv6||DoS||5.9|
|CVE-2020-17470||Improper Input Validation||DNS response processing||DNS cache poisoning||4|
As per the report published by Forescout Research Labs,
Four of the vulnerabilities in AMNESIA:33 are critical, with potential for remote code execution on certain devices. Exploiting these vulnerabilities could allow an attacker to take control of a device, thus using it as an entry point on a network for internet-connected devices, as a pivot point for lateral movement, as a persistence point on the target network or as the final target of an attack. For enterprise organizations, this means they are at increased risk of having their network compromised or having malicious actors undermine their business continuity. For consumers, this means that their IoT devices may be used as part of large attack campaigns, such as botnets, without them being aware.
Affected Libraries versions
- uIP-Contiki-OS (end-of-life [EOL]), Version 3.0 and prior
- uIP-Contiki-NG, Version 4.5 and prior
- uIP (EOL), Version 1.0 and prior
- open-iscsi, Version 2.1.12 and prior
- picoTCP-NG, Version 1.7.0 and prior
- picoTCP (EOL), Version 1.7.0 and prior
- FNET, Version 4.6.3
- Nut/Net, Version 5.1 and prior
Forescout’s researchers provided the PoC details for CVE-2020-25111 in their report, and no other PoC’s are available yet.
Forescout’s researchers identify some possible mitigating actions that asset owners and security operators can take to protect their networks from the TCP/IP vulnerabilities in AMNESIA:33 and also in other stacks:
- Disable or block IPv6 traffic whenever it is not needed in the network.
- Configure devices to rely on internal DNS servers as much as possible and closely monitor external DNS traffic.
- Monitor all network traffic for malformed packets (for instance, having non-conforming field lengths or failing checksums) that try to exploit known vulnerabilities or possible 0-days.
According to the report, the following patches are available for libraries –
- FNET 4.7.0 and later
- uIP-Contiki-NG 4.6.0 and later
- Nut/Net 5.1 and later
CISA has released an ICS Advisory ICSA-20-343-01 to address AMNESIA:33.
Additional vendors affected by the AMNESIA:33 vulnerabilities have also released security advisories.
- EMU Electronic AG
- Yanzi Networks
Qualys customers can scan their network with QID # 38819 to detect vulnerable assets. Please continue to follow on Qualys Threat Protection for more coverage on these vulnerabilities.