ISN generation vulnerabilities found in nine of eleven TCP/IP stacks, says Forescout Research Labs

Forescout researchers have discovered vulnerabilities in multiple TCP/IP stacks in which ISNs (Initial Sequence Numbers within TCP connections) are improperly generated. This is leaving devices’ TCP connections open to attacks.

In a recent assessment, Forescout researchers analysed 11 total stacks: uIP, FNET, picoTCP, Nut/Net, lwIP, cycloneTCP, uC/TCP-IP, MPLAB Net, TI-NDKTCPIP, Nanostack, and Nucleus NET.

Improperly generated ISNs in 9 of 11 stacks

This type of vulnerability has been used historically to break into general-purpose computers (notoriously by Kevin Mitnick, which led it to be known as the “Mitnick attack”. Kevin David Mitnick is a US computer security consultant, author and convicted hacker. He was arrested in 1995 and spent five years in prison for computer and communications-related crimes.) What makes this finding different is the stacks are primarily used in embedded devices, potentially widening their impact.

ISNs ensure that every TCP connection between two devices is unique and that there are no collisions, so that third parties cannot interfere with an ongoing connection. To guarantee these properties, ISNs must be randomly generated so that an attacker cannot guess an ISN and hijack an ongoing connection or spoof a new one.

As the survey organisers say, “This research again highlights the security challenges of the IoT (Internet of Things) world and why it is fundamental for network operators to employ cybersecurity tools that ensure visibility and control of networked devices, including granular classification to detect vulnerable components, as well as the possibility of segmenting and enforcing policies on the network.

Here’s a recap of our findings (lwIP and Nanostack are not mentioned as they were not found vulnerable):

CVE IDCVSSv3 ScoreTCP/IP Stack analysedDescriptionFix
CVE-2020-272137.5Nut/Net 5.1ISN generator relies on a highly predictable source (system timer) and has constant increments.Patch in progress.
CVE-2020-276307.5uC/TCP-IP 3.6.0ISN generator relies on LCG, which is reversible from observed output streams. The algorithm is seeded with publicly recoverable information (i.e., system timer count).uC/TCP-IP is no longer supported. Patched in the latest version of Micrium OS(successor project).
CVE-2020-276317.5CycloneTCP 1.9.6ISN generator relies on LCG, which is reversible from observed output streams. The algorithm is initially seeded with a publicly observable CRC value.Patched in version 2.0.0.
CVE-2020-276327.5NDKTCPIP 2.25ISN generator is initialised with a constant value and has constant increments.Patched in version 7.02 of Processor SDK.
CVE-2020-276337.5FNET 4.6.3ISN generator is initialised with a constant value and has constant increments.Documentation updated to warn users and recommend implement-ing their own PRNG.
uIP 1.0Contiki-OS 3.0Contiki-NG 4.5ISN generator is initialised with a constant value and has constant increments.No response from maintainers.
CVE-2020-276357.5PicoTCP 1.7.0PicoTCP-NGISN generator relies on LCG, which is reversible from observed output streams. The algorithm is seeded with publicly recoverable information (i.e., system timer count).Version 2.1 removes the default (vulnerable) implementation and recommends users implement their own PRNG.
CVE-2020-276367.5MPLAB Net 3.6.1ISN generator relies on LCG, which is reversible from observed output streams. The algorithm is seeded with a static value.Patched in version 3.6.4.
CVE-2020-283886.5Nucleus NET 4.3ISN generator relies on a combination of values that can be inferred from a network capture (MAC address of an endpoint and a value derived from the system clock).Patched in Nucleus NET 5.2 and Nucleus ReadyStart v2012.12

These vulnerabilities were discovered and disclosed to the affected vendors and maintainers in October 2020. Most vendors have already issued patches and/or mitigation recommendations to users. The developers of Nut/Net are working on a solution, and Forescout has not received a response from the uIP developers.

The vulnerabilities found (except CVE-2020-28388) have a common CVSSv3 score and vector of 7.5 and AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, respectively. Siemens has assigned a score of 6.5 to CVE-2020-28388 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. However, the actual severity on a particular device and TCP connection may vary depending on, for example, the use of encrypted sessions and the sensitivity of data exchanged.

High impact threat in IoT

The popularity and some use cases of the vulnerable stacks is extensive. As we outlined in our AMNESIA:33 report, uIP, FNET, picoTCP and Nut/Net are used by millions of devices, including everything from IT file servers to IoT-embedded components. We believe that CycloneTCP, uC/TCP-IP, NDKTCPIP, MPLAB Net and Nucleus NET are equally popular and widespread.

In this research, Forescout has not tried to identify affected devices or device manufacturers. Still, there are several notable public use cases of some of the stacks, such as medical deviceswind turbine monitoring systemsremote terminal units (RTUs) and IT storage systems.

Recommended mitigation

Identifying and patching devices running the vulnerable stacks is challenging because it is often unknown which devices run a particular stack, and embedded devices are notoriously difficult to manage and update. That’s why Forescout recommends this mitigation strategy:

  • Discover and inventory devices that run a vulnerable TCP/IP stack. Forescout Research Labs has released an open-source script that uses active fingerprinting to detect devices running the affected stacks. The script is updated constantly with new signatures. Additionally, Nmap allows the collection of ISN metrics and performs statistical analyses to understand whether a target device suffers from weak ISN generation.
  • Patch when possible. Monitor progressive patches released by affected device vendors and devise a remediation plan for your vulnerable asset inventory. Forescout can help orchestrate remediation workflows with other IT and security tools for devices that have available patches and can be patched outside of maintenance windows.
  • Segment to mitigate risk. For vulnerable IoT and OT devices, use segmentation to minimise network exposure and the likelihood of compromise without impacting mission-critical functions or business operations. Segmentation and zoning can also limit the blast radius and business impact if a device is compromised. Forescout eyeSegment can help to restrict external communication paths and isolate or contain vulnerable devices in zones.
  • Deploy IPsec. End-to-end cryptographic solutions built on top of the Network layer (IPsec) do not require any modifications to a TCP/IP stack in use while allowing to defend against TCP spoofing and connection reset attacks. Unfortunately, this comes at the cost of network bandwidth.

Phase two of project memoria

In 2020 Forescout Research Labs started Project Memoria, an initiative that aims to provide the cybersecurity community with the largest study on the security of TCP/IP stacks. The first outcome of the project was AMNESIA:33 – a set of 33 vulnerabilities affecting four open source TCP/IP stacks.

These latest findings represent the second study in Project Memoria, focusing on the same seven open source embedded TCP/IP stacks from the first study (uIP, FNET, picoTCP, Nut/Net, lwIP, cycloneTCP and uC/TCP-IP), as well as four other popular stacks: Microchip’s MPLAB NetTexas Instruments’ NDKTCPIP, ARM’s Nanostack and Siemens’ Nucleus NET.

Forescout will continue to drive research into TCP/IP stacks through Project Memoria. Its goal is to raise industry awareness of the vulnerability of these stacks and the importance of a secure software supply chain.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Scality’s 2022 forecast: Storage solutions get AI/MLOps upgrade, enhanced ransomware protection

Posted on: December 8, 2021

London, UK. 7 December 2021 – Scality announced its data storage predictions for 2022, coming off a year when ransomware attacks have exploded, skills shortages remain, and cloud adoption continues. This year’s forecast homes in on how storage solutions will evolve to meet these challenges and how emerging technologies will impact the data storage landscape.

Read more

Virtana free tier offering lets enterprises experience simplified hybrid cloud optimisation at no cost

Posted on: December 8, 2021

Virtana announced the immediate availability of a free version of Virtana Optimize, its cloud optimisation solution. The Free Tier offering complements the Premium version of Virtana Optimize, allowing for frictionless customer adoption.

Read more