IoT, cloud and embedded systems software security: a Ripple deja-vu and Amnesia

In system and network security systems major flaws get world-wide attention. Well-known CVEs are mostly fixed but not patched in due time. In embedded systems, similar issues linger for quite some time. As Dr. Nathalie Weiler points out in her Medical Cluster Insights talk «Security by Design – sicher vernetzte Medizinprodukte des gesamten Product-Lifecycle», Ripple20 was only a beginning, followed by Amnesia33 published Dec 08, 2020 (33 vulnerabilties on 7 open source tcp/ip stacks, 3 of highest criticality (CVSS score above 9)).

Four of the vulnerabilities in AMNESIA:33 are critical, with potential for remote code execution on certain devices. Exploiting these vulnerabilities could allow an attacker to take control of a device, thus using it as an entry point on a network for internet-connected devices, as a pivot point for lateral movement, as a persistence point on the target network or as the final target of an attack.

For enterprise organizations, this means they are at increased risk of having their network compromised or having malicious actors undermine their business continuity. (…) AMNESIA:33 affects multiple open source TCP/IP stacks that are not owned by a single company.

This means that a single vulnerability tends to spread easily and silently across multiple codebases, development teams, companies and products, which presents significant challenges to patch management. (…) more than 150 vendors and millions of devices are vulnerable (…) widely spread (across different IoT, OT and IT devices in different verticals), highly modular (with components, features and settings being present in various combinations and code bases often being forked) and incorporated in undocumented, deeply embedded subsystems. For the same reasons, these vulnerabilities tend to be very hard to eradicate. Forescout Research Labs Report on Amnesia:33

Affected implementations in medical field include uIP, Contiki-OS and Contiki-NG, PicoTCP and PicoTCP-NG, FNET and Nut/OS. Interestingly, other implementations from both commercial and open-source provenance, e.g uC-TCP and lwip have not been reported so far.

A good strategy is to critically review a systems software component repository regarding known issues. In addition a penetration test using OWASP principles is a good thing. As these are mandatory, for effectiveness and budget reasons it makes sense to set the right priorities. If you need to sort out the initial architecture a newly built system or assess a legacy system in a software review, we’re glad to provide an initial consultation.