ISN generation vulnerabilities found in nine of eleven TCP/IP stacks, says Forescout Research Labs

Forescout researchers have discovered vulnerabilities in multiple TCP/IP stacks in which ISNs (Initial Sequence Numbers within TCP connections) are improperly generated. This is leaving devices’ TCP connections open to attacks.

In a recent assessment, Forescout researchers analysed 11 total stacks: uIP, FNET, picoTCP, Nut/Net, lwIP, cycloneTCP, uC/TCP-IP, MPLAB Net, TI-NDKTCPIP, Nanostack, and Nucleus NET.

Improperly generated ISNs in 9 of 11 stacks

This type of vulnerability has been used historically to break into general-purpose computers (notoriously by Kevin Mitnick, which led it to be known as the “Mitnick attack”. Kevin David Mitnick is a US computer security consultant, author and convicted hacker. He was arrested in 1995 and spent five years in prison for computer and communications-related crimes.) What makes this finding different is the stacks are primarily used in embedded devices, potentially widening their impact.

ISNs ensure that every TCP connection between two devices is unique and that there are no collisions, so that third parties cannot interfere with an ongoing connection. To guarantee these properties, ISNs must be randomly generated so that an attacker cannot guess an ISN and hijack an ongoing connection or spoof a new one.

As the survey organisers say, “This research again highlights the security challenges of the IoT (Internet of Things) world and why it is fundamental for network operators to employ cybersecurity tools that ensure visibility and control of networked devices, including granular classification to detect vulnerable components, as well as the possibility of segmenting and enforcing policies on the network.

Here’s a recap of our findings (lwIP and Nanostack are not mentioned as they were not found vulnerable):

CVE IDCVSSv3 ScoreTCP/IP Stack analysedDescriptionFix
CVE-2020-272137.5Nut/Net 5.1ISN generator relies on a highly predictable source (system timer) and has constant increments.Patch in progress.
CVE-2020-276307.5uC/TCP-IP 3.6.0ISN generator relies on LCG, which is reversible from observed output streams. The algorithm is seeded with publicly recoverable information (i.e., system timer count).uC/TCP-IP is no longer supported. Patched in the latest version of Micrium OS(successor project).
CVE-2020-276317.5CycloneTCP 1.9.6ISN generator relies on LCG, which is reversible from observed output streams. The algorithm is initially seeded with a publicly observable CRC value.Patched in version 2.0.0.
CVE-2020-276327.5NDKTCPIP 2.25ISN generator is initialised with a constant value and has constant increments.Patched in version 7.02 of Processor SDK.
CVE-2020-276337.5FNET 4.6.3ISN generator is initialised with a constant value and has constant increments.Documentation updated to warn users and recommend implement-ing their own PRNG.
uIP 1.0Contiki-OS 3.0Contiki-NG 4.5ISN generator is initialised with a constant value and has constant increments.No response from maintainers.
CVE-2020-276357.5PicoTCP 1.7.0PicoTCP-NGISN generator relies on LCG, which is reversible from observed output streams. The algorithm is seeded with publicly recoverable information (i.e., system timer count).Version 2.1 removes the default (vulnerable) implementation and recommends users implement their own PRNG.
CVE-2020-276367.5MPLAB Net 3.6.1ISN generator relies on LCG, which is reversible from observed output streams. The algorithm is seeded with a static value.Patched in version 3.6.4.
CVE-2020-283886.5Nucleus NET 4.3ISN generator relies on a combination of values that can be inferred from a network capture (MAC address of an endpoint and a value derived from the system clock).Patched in Nucleus NET 5.2 and Nucleus ReadyStart v2012.12

These vulnerabilities were discovered and disclosed to the affected vendors and maintainers in October 2020. Most vendors have already issued patches and/or mitigation recommendations to users. The developers of Nut/Net are working on a solution, and Forescout has not received a response from the uIP developers.

The vulnerabilities found (except CVE-2020-28388) have a common CVSSv3 score and vector of 7.5 and AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, respectively. Siemens has assigned a score of 6.5 to CVE-2020-28388 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. However, the actual severity on a particular device and TCP connection may vary depending on, for example, the use of encrypted sessions and the sensitivity of data exchanged.

High impact threat in IoT

The popularity and some use cases of the vulnerable stacks is extensive. As we outlined in our AMNESIA:33 report, uIP, FNET, picoTCP and Nut/Net are used by millions of devices, including everything from IT file servers to IoT-embedded components. We believe that CycloneTCP, uC/TCP-IP, NDKTCPIP, MPLAB Net and Nucleus NET are equally popular and widespread.

In this research, Forescout has not tried to identify affected devices or device manufacturers. Still, there are several notable public use cases of some of the stacks, such as medical deviceswind turbine monitoring systemsremote terminal units (RTUs) and IT storage systems.

Recommended mitigation

Identifying and patching devices running the vulnerable stacks is challenging because it is often unknown which devices run a particular stack, and embedded devices are notoriously difficult to manage and update. That’s why Forescout recommends this mitigation strategy:

  • Discover and inventory devices that run a vulnerable TCP/IP stack. Forescout Research Labs has released an open-source script that uses active fingerprinting to detect devices running the affected stacks. The script is updated constantly with new signatures. Additionally, Nmap allows the collection of ISN metrics and performs statistical analyses to understand whether a target device suffers from weak ISN generation.
  • Patch when possible. Monitor progressive patches released by affected device vendors and devise a remediation plan for your vulnerable asset inventory. Forescout can help orchestrate remediation workflows with other IT and security tools for devices that have available patches and can be patched outside of maintenance windows.
  • Segment to mitigate risk. For vulnerable IoT and OT devices, use segmentation to minimise network exposure and the likelihood of compromise without impacting mission-critical functions or business operations. Segmentation and zoning can also limit the blast radius and business impact if a device is compromised. Forescout eyeSegment can help to restrict external communication paths and isolate or contain vulnerable devices in zones.
  • Deploy IPsec. End-to-end cryptographic solutions built on top of the Network layer (IPsec) do not require any modifications to a TCP/IP stack in use while allowing to defend against TCP spoofing and connection reset attacks. Unfortunately, this comes at the cost of network bandwidth.

Phase two of project memoria

In 2020 Forescout Research Labs started Project Memoria, an initiative that aims to provide the cybersecurity community with the largest study on the security of TCP/IP stacks. The first outcome of the project was AMNESIA:33 – a set of 33 vulnerabilities affecting four open source TCP/IP stacks.

These latest findings represent the second study in Project Memoria, focusing on the same seven open source embedded TCP/IP stacks from the first study (uIP, FNET, picoTCP, Nut/Net, lwIP, cycloneTCP and uC/TCP-IP), as well as four other popular stacks: Microchip’s MPLAB NetTexas Instruments’ NDKTCPIP, ARM’s Nanostack and Siemens’ Nucleus NET.

Forescout will continue to drive research into TCP/IP stacks through Project Memoria. Its goal is to raise industry awareness of the vulnerability of these stacks and the importance of a secure software supply chain.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


Thailand marine department to deploy several thousand Globalstar SPOT Gen4 satellite trackers via Thaicom to safeguard island visitors

Posted on: June 30, 2022

Dublin, Ireland. 30 June, 2022 – Globalstar Europe satellite services ltd, a wholly owned subsidiary of Globalstar Inc., and a provider in satellite messaging, IoT, and emergency notification technologies, announces that SPOT Gen4 satellite messengers will be deployed by Thailand Marine Department to provide safety and security for all travellers on and around the island

Read more

BigChange elevates green ambitions for VM Elevators

Posted on: June 30, 2022

Leeds, United Kingdom. 29 June, 2022 – VM Elevators, independent lift and escalator services provider, is boosting its green credentials using BigChange job management software. Using the cloud based platform, VME delivers 100% of its client reports electronically and has moved its business to an entirely paperless system. Intelligent scheduling and routing, and collaboration with

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox