Forescout researchers have discovered vulnerabilities in multiple TCP/IP stacks in which ISNs (Initial Sequence Numbers within TCP connections) are improperly generated, leaving TCP connections of a device open to attacks. Forescout researchers analyzed 11 total stacks: uIP, FNET, picoTCP, Nut/Net, lwIP, cycloneTCP, uC/TCP-IP, MPLAB Net, TI-NDKTCPIP, Nanostack, and Nucleus NET.
We found improperly generated ISNs in 9 of the 11 stacks analyzed.
This type of vulnerability has been used historically to break into general-purpose computers (notoriously by Kevin Mitnick, which led it to be known as the “Mitnick attack”). What makes this finding different is the stacks are primarily used in embedded devices, potentially widening their impact.
ISNs ensure that every TCP connection between two devices is unique and that there are no collisions, so that third parties cannot interfere with an ongoing connection. To guarantee these properties, ISNs must be randomly generated so that an attacker cannot guess an ISN and hijack an ongoing connection or spoof a new one.
Here’s a recap of our findings (lwIP and Nanostack are not mentioned as they were not found vulnerable):[su_table responsive=”yes” alternate=”no”]
|CVE ID||CVSSv3 Score||TCP/IP Stack analyzed||Description||Fix|
|CVE-2020-27213||7.5||Nut/Net 5.1||ISN generator relies on a highly predictable source (system timer) and has constant increments.||Patch in progress.|
|CVE-2020-27630||7.5||uC/TCP-IP 3.6.0||ISN generator relies on LCG, which is reversible from observed output streams. The algorithm is seeded with publicly recoverable information (i.e., system timer count).||uC/TCP-IP is no longer supported. Patched in the latest version of Micrium OS (successor project).|
|CVE-2020-27631||7.5||CycloneTCP 1.9.6||ISN generator relies on LCG, which is reversible from observed output streams. The algorithm is initially seeded with a publicly observable CRC value.||Patched in version 2.0.0.|
|CVE-2020-27632||7.5||NDKTCPIP 2.25||ISN generator is initialized with a constant value and has constant increments.||Patched in version 7.02 of Processor SDK.|
|CVE-2020-27633||7.5||FNET 4.6.3||ISN generator is initialized with a constant value and has constant increments.||Documentation updated to warn users and recommend implement-ing their own PRNG.|
|ISN generator is initialized with a constant value and has constant increments.||No response from maintainers.|
|ISN generator relies on LCG, which is reversible from observed output streams. The algorithm is seeded with publicly recoverable information (i.e., system timer count).||Version 2.1 removes the default (vulnerable) implementation and recommends users implement their own PRNG.|
|CVE-2020-27636||7.5||MPLAB Net 3.6.1||ISN generator relies on LCG, which is reversible from observed output streams. The algorithm is seeded with a static value.||Patched in version 3.6.4.|
|CVE-2020-28388||6.5||Nucleus NET 4.3||ISN generator relies on a combination of values that can be inferred from a network capture (MAC address of an endpoint and a value derived from the system clock).||Patched in Nucleus NET 5.2 and Nucleus ReadyStart v2012.12|
These vulnerabilities were discovered and disclosed to the affected vendors and maintainers in October 2020. Most vendors have already issued patches and/or mitigation recommendations to users. The developers of Nut/Net are working on a solution, and Forescout has not received a response from the uIP developers.
The vulnerabilities found (except CVE-2020-28388) have a common CVSSv3 score and vector of 7.5 and AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, respectively. Siemens has assigned a score of 6.5 to CVE-2020-28388 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. However, the actual severity on a particular device and TCP connection may vary depending on, for example, the use of encrypted sessions and the sensitivity of data exchanged.
The popularity and some use cases of the vulnerable stacks is extensive. As we outlined in our AMNESIA:33 report, uIP, FNET, picoTCP and Nut/Net are used by millions of devices, including everything from IT file servers to IoT embedded components. We believe that CycloneTCP, uC/TCP-IP, NDKTCPIP, MPLAB Net and Nucleus NET are equally popular and widespread.
In this research, Forescout has not tried to identify affected devices or device manufacturers. Still, there are several notable public use cases of some of the stacks, such as medical devices, wind turbine monitoring systems, remote terminal units (RTUs) and IT storage systems.
Identifying and patching devices running the vulnerable stacks is challenging because it is often unknown which devices run a particular stack, and embedded devices are notoriously difficult to manage and update.
That’s why we recommend this mitigation strategy:
- Discover and inventory devices that run a vulnerable TCP/IP stack. Forescout Research Labs has released an open-source script that uses active fingerprinting to detect devices running the affected stacks. The script is updated constantly with new signatures. Additionally, Nmap allows the collection of ISN metrics and performs statistical analyses to understand whether a target device suffers from weak ISN generation.
- Patch when possible. Monitor progressive patches released by affected device vendors and devise a remediation plan for your vulnerable asset inventory. Forescout can help orchestrate remediation workflows with other IT and security tools for devices that have available patches and can be patched outside of maintenance windows.
- Segment to mitigate risk. For vulnerable IoT and OT devices, use segmentation to minimize network exposure and the likelihood of compromise without impacting mission-critical functions or business operations. Segmentation and zoning can also limit the blast radius and business impact if a device is compromised. Forescout eyeSegment can help to restrict external communication paths and isolate or contain vulnerable devices in zones.
- Deploy IPsec. End-to-end cryptographic solutions built on top of the Network layer (IPsec) do not require any modifications to a TCP/IP stack in use while allowing to defend against TCP spoofing and connection reset attacks. Unfortunately, this comes at the cost of network bandwidth.
Phase Two of Project Memoria
In 2020 Forescout Research Labs started Project Memoria, an initiative that seeks to provide the cybersecurity community with the largest study on the security of TCP/IP stacks. The first outcome of the project was AMNESIA:33 – a set of 33 vulnerabilities affecting four open source TCP/IP stacks.
These latest findings represent the second study in Project Memoria, focusing on the same seven open source embedded TCP/IP stacks from the first study (uIP, FNET, picoTCP, Nut/Net, lwIP, cycloneTCP and uC/TCP-IP), as well as four other popular stacks: Microchip’s MPLAB Net, Texas Instruments’ NDKTCPIP, ARM’s Nanostack and Siemens’ Nucleus NET.
Forescout will continue to drive impactful research into TCP/IP stacks through Project Memoria. Our goal is to raise industry awareness of the vulnerability of these stacks and the importance of a secure software supply chain.
For a detailed analysis of ISN vulnerabilities in TCP/IP stacks, download the full report: NUMBER:JACK Weak ISN Generation in Embedded TCP/IP Stacks.