Security News > 2020 > December > Amnesia:33 — Critical TCP/IP Flaws Affect Millions of IoT Devices
Cybersecurity researchers disclosed a dozen new flaws in multiple widely-used embedded TCP/IP stacks impacting millions of devices ranging from networking equipment and medical devices to industrial control systems that could be exploited by an attacker to take control of a vulnerable system.
Collectively called "AMNESIA:33" by Forescout researchers, it is a set of 33 vulnerabilities that impact four open-source TCP/IP protocol stacks - uIP, FNET, picoTCP, and Nut/Net - that are commonly used in Internet-of-Things and embedded devices.
Millions of devices from an estimated 158 vendors are vulnerable to AMNESIA:33, with the possibility of remote code execution allowing an adversary to take complete control of a device, and using it as an entry point on a network of IoT devices to laterally move, establish persistence, and co-opt the compromised systems into botnets without their knowledge.
Like the Urgent/11 and Ripple20 flaws that were disclosed in recent times, AMNESIA:33 stems from out-of-bounds writes, overflow flaws, or a lack of input validation, leading to memory corruption and enabling an attacker to put devices into infinite loops, poison DNS caches, and extract arbitrary data.
"As a result, vulnerabilities in embedded TCP/IP stacks have the potential to affect millions - even billions - of devices across verticals and tend to remain a problem for a very long time."