IoT devices at risk from Amnesia:33
December 17, 2020
A new series of vulnerabilities dubbed Amnesia:33 puts millions of IoT devices at risk of being compromised.
Security researchers from Forescout disclosed the 33 vulnerabilities today. The flaws are found in four open-source TCP/IP libraries used in the firmware of products from over 150 vendors.
According to the researchers’ estimates, millions of consumer and enterprise IoT devices are at risk from Amnesia:33 vulnerabilities.
The affected libraries are uIP, FNET, picoTCP, and Nut/Net. Manufacturers have used these libraries for decades to add TCP/IP support to their products.
Here are the number of vulnerabilities discovered in each library:
- uIP – 13
- picoTCP – 10
- FNET – 5
- Nut/Nut – 5
uIP, the most vulnerable library, was also found to be used in the highest number of vendors.
Forescout also analysed the following libraries but did not find any vulnerabilities: lwIP, CycloneTCP, and uC/TCP-IP.
Due to the prevalence of these libraries, just about every type of connected hardware is impacted by Amnesia:33—from SoCs to smart plugs, from IP cameras to servers.
Unlike the previously disclosed Ripple20 vulnerabilities, Amnesia:33 primarily affects the DNS, TCP, and IPv4/IPv6 sub-stacks.
Ripple20 and Amnesia:33 vulnerabilities both predominately consist of Out-of-Bounds Read, followed by Integer Overflow.
IoT devices (46%) represent the highest number of affected device types, according to Forescout’s research. This is followed by OT/BAS and OT/ICS at 19 percent, and then IT at 16 percent.