At the end of last year, ForeScout analyzed seven open-source software libraries and found a set of 33 vulnerabilities in four of them (uip, picoTCP, FNET, Nut/Net). Three of these vulnerabilities are critical and can lead to remote code execution.
One such critical vulnerability concerns a buffer overflow, which can be exploited if a corrupted web address sent by a remote party violates the expected DNS coding structure. With a carefully constructed message, it is possible to do an out-of-bounds write to the heap. A non-privileged attacker may subsequently use this to take control over the device, and use it for subsequent attacks in the network where the affected device sits.
According to estimations of ForeScout, 150 vendors use the affected libraries, and millions of devices are vulnerable to Amnesia-33. Attackers can use public interfaces to take control over affected devices and cause damage to processes relying on the device. The attack may also be used as a stepping stone to target other assets connected to the device. Although no complete scenario is demonstrated, it is imaginable that this may have a large impact, such as a DoS attack.
Apart from the seriousness of the flaw, we also learn that even though the open-source code is widely used, it is apparently not sufficiently scrutinized. This should be a reminder that no software can be trusted before careful evaluation.
In their FAQ, ForeScout proposes a number of mitigations, including assessment and patching. While these strategies make sense, they would only mitigate risks related to these vulnerabilities. If you are a device vendor and work with open-source software, you should also consider measures to detect further vulnerabilities that have not yet been published. Such measures include code review and automated analysis. Riscure provides software security evaluation services and works on software security tooling that helps identify and analyze similar flaws. Riscure True Code platform can help you gain more confidence in open source and proprietary code. Check out our website for more information.
If you have any questions, contact us at firstname.lastname@example.org.
Check out other posts of Riscure Security Highlights.