Security Highlight: The Real Threat of Amnesia-33
At the end of last year, ForeScout analyzed seven open-source software libraries and found a set of 33 vulnerabilities in four of them (uip, picoTCP, FNET, Nut/Net). Three of these vulnerabilities are critical and can lead to remote code execution.
One such critical vulnerability involves a buffer overflow, which can be exploited if a corrupted web address sent by a remote party violates the expected DNS coding structure. With a carefully constructed message, it is possible to do an out-of-bounds write to the heap. A non-privileged attacker may subsequently use this to take control over the device and use it for subsequent attacks in the network where the affected device sits.
According to ForeScout estimations, 150 vendors use the affected libraries and millions of devices are vulnerable to Amnesia-33. Attackers can use public interfaces to take control over affected devices and cause damage to processes relying on the device. The attack may also be used as a stepping stone to target other assets connected to the device. Although no complete scenario is demonstrated, it is imaginable that this may have a large impact, such as a DoS attack.
Apart from the seriousness of the flaw, we also learn that even though the open-source code is widely used, it is apparently not sufficiently scrutinized. This should be a reminder that no software can be trusted before careful evaluation.
In their FAQ, ForeScout proposed several mitigations, including assessment and patching. While these strategies make sense, they would only mitigate risks related to these vulnerabilities. If you are a device vendor and work with open-source software, you should also consider measures to detect further vulnerabilities that have not yet been published. Such measures include code review and automated analysis. Keysight provides software security evaluation services and works on software security tooling that helps identify and analyze similar flaws.
If you have questions, contact us at [email protected].