In May 2020 during the most complicated phase of the global pandemic, we were told that the internet was broken as a result of bugs (called Ripple20) affecting millions of IoT devices. But this was just one of a series of findings in a series of problems detected in the TCP/IP stack that have been brought together in research called the Memory Project.
This project reports vulnerabilities in the implementation of 14 TCP/IP stacks detected after 18 months of research. The result is the disclosure of 97 vulnerabilities grouped in 6 reports that, by their very nature, are rated with a very high risk level and impact millions of devices and hundreds of manufacturers.
The first striking feature of the report is the initial release date of the fourteen TCP/IP stacks, which are at least 7 years old and at most 28 years old. Evidence that as in previous occasions in other base protocols, unknown vulnerabilities have been carried over from many decades ago.
This does not imply that all stacks or protocols are vulnerable just because they are old, but it does show that on many cases the processes of correction and improvement in this type of basic elements for the functioning of the internet are somehow slow. The study also indicates that one of the main problems is the lack of response from many manufacturers when they are notified of vulnerabilities or the slow adoption of patches, as in the case of Schneider Electric, which took 308 days to publish the patches to correct the vulnerabilities known as AMNESIA:33.
The other very important point is the impact of these vulnerabilities, as most of the implementations are in IoT, IioT and OT devices, which are the basis of the operation of critical infrastructures and industries in the world. Devices such as gas turbines, electrical transmission elements and Siemens brand RTUs, have confirmed by their own CERTs the existence of vulnerabilities in their devices in the last two months SSA-044112 and SSA-316383, which confirm NUCLEUS:13 and NUMBER:JACK respectively.
However, it is not the only industry affected. The government and medical services environments have also been severely impacted. In fact, they are the most affected devices reported, both of which account for around 60% of all affected devices.
As in previous cases, this case highlights the need for greater scrutiny of how vendors and developers are creating or making use of the different TCP/IP stacks in their implementations.
The good news is that these types of responsibly reported bugs indicate not only the importance of such analysis, but how vital it is to provide early warning to the world’s organisations to raise awareness of the other as yet undiscovered vulnerabilities that can be found in critical environments.