Discovered ‘Amnesia:33’ vulnerabilities in millions of smart & industrial devices increase National & Corporate Cyber-Survivability & Security risks & damage from Geo-Poli-Cyber hackers
Survivability News reports today about 33 discovered security flaws in four open-source TCP/IP libraries currently used inside the firmware of products from more than 150 vendors.
These new vulnerabilities can compromise governments, organizations and citizens and can increase national and corporate Cyber-Survivability and Security risk vectors especially if the perpetrators are Geo-Poli-Cyber motivated hackers. It is estimate that millions of consumer and industrial-grade devices are currently impacted by the discovery of these security flaws named Amnesia:33.
Impacted systems include anything you can think of, including smartphones, gaming consoles, sensors, system-on-a-chip (SOC) boards, HVAC systems, printers, routers, switches, IP cameras, self-checkout kiosks, RFID asset trackers, badge readers, uninterruptible power supplies, and all sorts of industrial equipment.
AMNESIA:33 Bugs Reside in Four Open-Source TCP/IP Stacks
Over the past two decades, device makers have often added one of these four libraries to the firmware of their devices to allow their products to support TCP/IP, today’s most widely used networking communications protocols.
Due to the crucial functions they provide to a device, MLi Group Cyber-Survivability and Security expert said “governments, organizations and citizens can be compromised because the 33 discovered vulnerabilities would allow an hacker to perform a wide range of attacks such as:
- Remote code execution (RCE) to take control of a target device.
- Denial of service (DoS) to impair functionality and impact business operations.
- Information leak (infoleak) to acquire potentially sensitive information.
- DNS cache poisoning attacks to point a device to a malicious website.”
He later added: “These new discovered vulnerabilities are Geo-Poli-Cyber hackers’ wet dream to perpetrate devastation on their target for political, ideological, extremist or terrorist agendas. Exploiting any devices using one of the Amnesia:33 bugs depends on which devices the stakeholder uses and where the devices are deployed across its network. For example, by their nature, routers can be exploited remotely, as they are usually connected to a company’s or government’s operation’s external interface. Other devices, like sensors and industrial equipment, might require that attackers gain access to the stakeholder’s internal network first.
From RIPPLE20 to AMNESIA:30
Inspired by the discovery of the Ripple20 vulnerabilities in the Treck TCP/IP stack last year, the security of seven other TCP/IP stacks in search of similar dangerous vulnerabilities were analysed.
To perform the analysis, a combination of automated fuzzing (white-box code instrumentation based on libFuzzer was used, manual analysis guided by variant hunting using the Joern code querying engine and a pre-existing corpus of vulnerabilities […] and manual code review,” the research team said today.
In the study no vulnerability were found in the lwIP, uC/TCP-IP, and CycloneTCP stacks. But this does not imply that there are no flaws in these stacks, it was observed that the three stacks have very consistent bounds checking and generally do not rely on shotgun parsing, one of the most common anti-patterns was identified.
National Cyber-Survivability & Security Risks Increased
But while the Amnesia:33 bugs were easy to discover and patch, the real work only now begins. Just like in the case of the Ripple20 vulnerabilities, device vendors will need to take the updated TCP/IP stacks and integrate them as firmware updates to their products.
While in some cases —like smartphones or networking equipment— this might be an easy task due to over-the-air update mechanisms included with some of these products, many other vulnerable devices don’t even ship with the ability to update the firmware, meaning some equipment will most likely remain vulnerable for the rest of their shelf life.
Must Do Now – Mitigation Strategies, Solutions & Audits.
MLi Group Cyber-Survivability expert later added, “Detecting these bugs is a huge task, that’s because many devices these days don’t come with a software bill of materials, and many companies won’t even know they are running systems that use one of these four TCP/IP stacks that are vulnerable to Amensia:33 attacks. As a result, they remain exposed, and only discover they have been vulnerable after they have hacked. By that time, serious damage has been done”
In other words, the smart device and IOT ecosystem will remain a mess increase the risk of a national survivability and security disaster waiting to happen and for years to come. Smart cities and buildings are now at increased risk.
Companies will either need to replace devices, or deploy countermeasures to prevent the exploitation of any of the Amnesia:33 vulnerabilities. But that’s not enough.
Decision makers must reconsider their continued reliance on resiliency, continuity and cyber security strategies and solutions that keep failing to defend as well as the bad coding practices, such as an absence of basic input validation and shotgun parsing, the primary issues at the heart of both the Ripple20 and Amnesia:33 vulnerabilities that can bring compromise businesses and nation states.
In simple terms, decision makers must re-evaluate their existing mitigation strategies and solutions which would start by requesting a comprehensive MLi Group Cyber- Survivability and security audit.
What to do next?
If you are a government or corporate decision makers or a board member who wishes to learn more about the Amnesia:33 vulnerabilities, and their impact on corporate or national security?
If you wish to discuss how an MLi Group National Cyber-Survivability Strategy with a Legislative Road Map & Plan, or A Corporate Cyber-Survivability Strategy with an Operating and Execution Plan can improve your current national or corporate posture and strategies, please click below to submit your Expression of Interest (EOI) for a Private Briefing.