More than 100 millions IoT has critical flows in TCP/IP stack supply chain
The group of researchers from Forescout has completed another portion of vulnerabilities investigation. The new report will be published after 4th August 2021. It will reveal all-new 14 flows in a very popular network stack used by various devices, starting with common IT and ending up on IIoT from giant vendors.
Table of Contents
This research is of utmost interest for industrial facilities, especially those in the critical infrastructure sector.
The convergence of IT and OT technologies there, as well as fast-evolving IoT and IIoT use, creates many opportunities for operation management but also opens many "doors" for malicious actors, including APTs, who exploit most popular vulnerabilities in IT in the wild.
Around newly discovered and registered 14 CVEs, two critical with CVSS v3.1 score over 9.1 points and referring to RCE, exactly as in confirmed on July 2021 case with the attack on iOS WiFi daemon.
Besides RCEs, there are also DoS, information exfiltration, and spoofing attacks proved during the lab test.
The company specializes in network visibility and anomaly detection in OT networks.
Already in 2020, it became clear that some technologies in the supply chain are creating almost identical vulnerabilities around many famous vendors. Later in April 2021, discovered were 100k to 100M OT, IT, and IoT devices around the globe (based on market research).
We can track discoveries of Forescout in the following sequence:
- June 2020 – Ripple20 project reveals a set of 19 vulnerabilities on the Treck TCP/IP stack.
- December 2020 – AMNESIA:33 presents the next 33 vulnerabilities affecting 4 open-source TCP/IP stacks.
- February 2021 – project NUMBER:JACK discovered 9 vulnerabilities affecting 9 TCP/IP stacks.
- April 2021 – NAME:WRECK operation found a set of 9 vulnerabilities affecting DNS clients of 4 TCP/IP stacks.
Image source – forescout.com
As always, when it touches any operational technology device, there are only a few recommendations that come into a game, which require a very thorough approach and sometimes threaten the reliability of the running process.
Nevertheless, to avoid catastrophe, it is recommended:
- Patching devices as soon as vendor’s patches are available. This is the almost universal recommendation to any kind of system. But it is rather difficult because patches are rear and systems are working 24/7/365.
- Apply physical network segmentation to your vulnerable devices. Many network administrators are handling OT devices as any other IT. If Internet access is required for updates, it will be given without any precautions. This behavior leads to exposure of critical devices for all possible remote attacks without the need to penetrate the network perimeter.
- Disabling and blocking unused services. For the sake of usability, many vendors applying common technology stack directly into devices, allowing HTTP, FTP, SSH, and other typical services for maintenance and configuration, thus, allowing malicious actors to develop easy to proceed attack scenarios and take a foothold on targeted systems.
Stay tuned and watch around!