Information Technology

The New Zealand government has done what the Australian government should have by implementing the COVID-19 contact tracing framework developed by Apple and Google instead of pushing forward with a problem-riddled app.
From Thursday, the NZ COVID Tracer app will see the addition of Bluetooth tracing, which adopts the Apple/Google Exposure Notification Framework.
“Kiwis deserve a summer break more than ever this year but we cannot take our eye off the ball. The prospect of another outbreak should serve as a rock under our beach towels. That’s no bad thing,” Minister for COVID-19 Response Chris Hipkins said.
When an app user tests positive for COVID-19, they can choose to alert other app users who may have been exposed to the virus. Other app users will then receive an alert if they have been near that app user who tested positive for COVID-19.
The Ministry of Health will not know an individual has received an alert unless that individual chooses to get in touch for information and advice.
“But it’s vitally important that New Zealanders see Bluetooth as an additional tool that will help to speed up contact tracing,” Hipkins said. “We need to continue to scan QR codes wherever we go, and businesses, services, and public transport providers must keep displaying their QR code posters at all alert levels.
“QR codes allow us to create a private record of the places we’ve been, while Bluetooth creates an anonymised record of the people we’ve been near.”

Hipkins said combined, they complement the work done by public health units and the National Investigation and Tracing Centre to rapidly identify and isolate close contacts.
“That continues to be the primary method for contact tracing in New Zealand,” he added.
There are currently around 2.4 million registered users of the NZ COVID Tracer app, of which approximately 90% will have phones that are compatible with Bluetooth tracing. 
Being mindful that many New Zealanders are without access to a compatible smartphone, Hipkins said that while no decisions have yet been made on any wider rollout of the proposed contact tracing cards, there is potential for the cards or other wearables to form part of a broader system of interoperable technologies.
“The recent community trial of the cards with the Te Arawa COVID-19 Response Hub has highlighted that a partnership approach to any future rollout of cards or wearables will be essential to increasing community trust and participation with contact tracing technologies,” he said.
The app has been endorsed by the Privacy Commissioner, and the Ministry of Health will release the source code on Friday.
NZ COVID Tracer will update automatically and Bluetooth tracing will be turned off by default.
As of Tuesday, the total number of active cases in New Zealand was 54. The total number of confirmed cases since the pandemic hit the country is 1,729.
Six new cases were found on Tuesday, all of them were returned travellers.
HERE’S MORE More

FireEye, one of the world largest security firms, said today it was hacked and that a “highly sophisticated threat actor” accessed its internal network and stole hacking tools FireEye uses to test the networks of its customers.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

In a press release today, FireEye CEO Kevin Mandia said the threat actor also searched for information related to some of the company’s government customers.
Mandia described the attacker as a “highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.”
“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia said in a statement released after markets closed.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” the FireEye top exec added.
“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus.
“They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
Microsoft confirms nation-state attribution

FireEye said its assessment was confirmed by Microsoft, which the company brought in to help investigate the breach.
The Federal Bureau of Investigation was also notified and is currently assisting the company, a major government contractor.
Because FireEye believes the attackers got their hands on its custom penetration testing tools, the company is now sharing indicators of compromise (IOC) on its GitHub account. These IOCs can help other companies detect if hackers used any of FireEye’s stolen tools to breach their networks.
But despite the gloomy news, FireEye is not the first major security firm that got hacked by a nation-state group. Kaspersky disclosed a similar breach in 2015; RSA Security was also hacked in 2011 by a nation-state actor later linked to China; and Avast got hacked twice, the first time in 2017, and again in 2019.
On Twitter, top executives from security firms Crodwstrike and Dragos showed their support for FireEye and Mandia.

With the Fireeye breach news coming out, it’s important to remember that no one is immune to this. Many security companies have been successfully compromised over the years, including Symantec, Trend, Kaspersky, RSA and Bit9 1/
— Dmitri Alperovitch (@DAlperovitch) December 8, 2020

Going to be a lot of folks that dunk on FireEye for this but from my quick review they found it themselves and self disclosed. Everyone gets breached. Kudos to Kevin and the team for detecting and responding well. https://t.co/CxHM375Jbu
— Robert M. Lee (@RobertMLee) December 8, 2020 More

Microsoft has published today 58 security fixes across 10+ products and services, as part of the company’s monthly batch of security updates, known as Patch Tuesday. 

There’s a smaller number of fixes this December compared with the regular 100+ fixes that Microsoft ships each month, but this doesn’t mean the bugs are less severe.
More than a third of this month’s patches (22) are classified as remote code execution (RCE) vulnerabilities. These are security bugs that need to be addressed right away as they are more easily exploitable, with no user interaction, either via the internet or from across a local network.
This month, we have RCEs in Microsoft products like Windows NTFS, Exchange Server, Microsoft Dynamics, Excel, PowerPoint, SharePoint, Visual Studio, and Hyper-V.
The highest-rated of these bugs, and the ones most likely to come under exploitation, are the RCE bugs impacting Exchange Server (CVE-2020-17143, CVE-2020-17144, CVE-2020-17141, CVE-2020-17117, CVE-2020-17132, and CVE-2020-17142) and SharePoint (CVE-2020-17118 and CVE-2020-17121).
Patching these first is advised, as, through their nature, Exchange and SharePoint systems are regularly connected to the internet and, as a result, are more easily attacked.
Another major bug fixed this month is also a bug in Hyper-V, Microsoft’s virtualization technology, used to host virtual machines. Exploitable via a malicious SMB packet, this bug could allow remote attackers to compromise virtualized sandboxed environments, something that Hyper-V was designed to protect.

Below are additional details about today’s Microsoft Patch Tuesday and security updates released by other tech companies:
Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
ZDNet has published this file listing all this month’s security advisories on one single page.
Adobe’s security updates are detailed here.
SAP security updates are available here.
Intel security updates are available here.
VMWare security updates are available here.
Chrome 87 security updates are detailed here.
Android security updates are available here.
Tag
CVE ID
CVE Title
Microsoft Windows DNS
ADV200013
Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver
Azure DevOps
CVE-2020-17145
Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
Azure DevOps
CVE-2020-17135
Azure DevOps Server Spoofing Vulnerability
Azure SDK
CVE-2020-17002
Azure SDK for C Security Feature Bypass Vulnerability
Azure SDK
CVE-2020-16971
Azure SDK for Java Security Feature Bypass Vulnerability
Azure Sphere
CVE-2020-17160
Azure Sphere Security Feature Bypass Vulnerability
Microsoft Dynamics
CVE-2020-17147
Dynamics CRM Webclient Cross-site Scripting Vulnerability
Microsoft Dynamics
CVE-2020-17133
Microsoft Dynamics Business Central/NAV Information Disclosure
Microsoft Dynamics
CVE-2020-17158
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
Microsoft Dynamics
CVE-2020-17152
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
Microsoft Edge
CVE-2020-17153
Microsoft Edge for Android Spoofing Vulnerability
Microsoft Edge
CVE-2020-17131
Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Exchange Server
CVE-2020-17143
Microsoft Exchange Information Disclosure Vulnerability
Microsoft Exchange Server
CVE-2020-17144
Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server
CVE-2020-17141
Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server
CVE-2020-17117
Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server
CVE-2020-17132
Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server
CVE-2020-17142
Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Graphics Component
CVE-2020-17137
DirectX Graphics Kernel Elevation of Privilege Vulnerability
Microsoft Graphics Component
CVE-2020-17098
Windows GDI+ Information Disclosure Vulnerability
Microsoft Office
CVE-2020-17130
Microsoft Excel Security Feature Bypass Vulnerability
Microsoft Office
CVE-2020-17128
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17129
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17124
Microsoft PowerPoint Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17123
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17119
Microsoft Outlook Information Disclosure Vulnerability
Microsoft Office
CVE-2020-17125
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17127
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17126
Microsoft Excel Information Disclosure Vulnerability
Microsoft Office
CVE-2020-17122
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-17115
Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint
CVE-2020-17120
Microsoft SharePoint Information Disclosure Vulnerability
Microsoft Office SharePoint
CVE-2020-17121
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-17118
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-17089
Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-17136
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-16996
Kerberos Security Feature Bypass Vulnerability
Microsoft Windows
CVE-2020-17138
Windows Error Reporting Information Disclosure Vulnerability
Microsoft Windows
CVE-2020-17092
Windows Network Connections Service Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-17139
Windows Overlay Filter Security Feature Bypass Vulnerability
Microsoft Windows
CVE-2020-17103
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-17134
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Visual Studio
CVE-2020-17148
Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
Visual Studio
CVE-2020-17159
Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
Visual Studio
CVE-2020-17156
Visual Studio Remote Code Execution Vulnerability
Visual Studio
CVE-2020-17150
Visual Studio Code Remote Code Execution Vulnerability
Windows Backup Engine
CVE-2020-16960
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16958
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16959
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16961
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16964
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16963
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16962
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Error Reporting
CVE-2020-17094
Windows Error Reporting Information Disclosure Vulnerability
Windows Hyper-V
CVE-2020-17095
Hyper-V Remote Code Execution Vulnerability
Windows Lock Screen
CVE-2020-17099
Windows Lock Screen Security Feature Bypass Vulnerability
Windows Media
CVE-2020-17097
Windows Digital Media Receiver Elevation of Privilege Vulnerability
Windows SMB
CVE-2020-17096
Windows NTFS Remote Code Execution Vulnerability
Windows SMB
CVE-2020-17140
Windows SMB Information Disclosure Vulnerability More

GitHub will roll out dependency review, a security assessment for pull requests, in the coming weeks to developers. 
The open source development platform said on Tuesday at the GitHub Universe conference that dependency review is a system designed to help “reviewers and contributors understand dependency changes and their security impact at every pull request” and has been developed to try and prevent vulnerable code from merging with new or updated dependencies by accident. 
Added to the GitHub roadmap this year, the new tool will give developers an overview of which dependencies are added or removed from a project, when they were updated, how many other projects lean on a dependency, and any vulnerability information associated with them. 
See also: The biggest hacks, data breaches of 2020
Dependency review is currently in beta and will become available to public repositories and Advanced Security customers on GitHub Enterprise Cloud, with a rollout expected in the “coming weeks.” The feature will be made available for free to public repositories. 

Example dependency review record
GitHub
GitHub’s current security offerings include a vulnerability advisory database, temporary private fork features to fix bugs before public disclosure, dependabot alerts, and automated pull requests for security updates. 
In 2020, the platform logged 56 million developers and the creation of 60 million new repositories. Over 90% of projects utilize open source components and have almost 700 dependencies on average. 

According to GitHub research, vulnerabilities can go undetected for up to four years in open source software. Although the majority of bugs are the result of human error rather than malice, vulnerabilities in components that could be extensively used by third-party vendors need to be dealt with as quickly as possible — and any means to prevent them from being added to dependencies is valuable. 
CNET: Hackers are going after COVID-19 vaccine’s rollout
The organization also revealed a slew of other changes, including a new build of GitHub Enterprise Server, with release starting December 16. The new GHES 3.0 release candidate will include built-in CI/CD and automation features within GitHub Actions and Packages. 
In addition, GHES 3.0 will allow enterprise customers to automate Advanced Security, including code and secret scanning (in beta), during server deployments. 
GitHub also announced:
Dark mode: Available today under settings
Discussions: Now available for all public repositories
Auto-merge pull requests: Rolling out over the next few weeks, this opt-in setting allows developers to permit automatic pull request mergers once checks have been passed
Environments: Environments will be able to be used with specific secrets to protect apps and packages, starting later this month
Workflow visualization: Action workflows can now be visualized in graphs
Mobile support: A beta version of mobile support for GitHub Enterprise Server is in development.
TechRepublic: Top 5 reasons not to use SMS for multi-factor authentication
In addition, GitHub Sponsors has been expanded from individual funding to investment from businesses. According to the firm, GitHub Sponsors for companies will allow organizations to “invest in the open source developers and projects that they depend on” through GitHub billing. 
Companies including AWS, American Express, Daimler, and Microsoft have already signed up to financially support open source projects. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Harlie Raethel, GE Healthcare
More than 100 models of General Electric Healthcare medical devices come with hidden accounts that use the same default credentials and could be abused by hackers to gain access to medical equipment inside hospitals and clinics.

Affected devices include the likes of CT scanners, X-Ray machines, and MRI imaging systems, according to CyberMDX, the security firm that discovered the hidden accounts earlier this year.
The accounts, hidden to end-users, are included in the device firmware and are used by GE Healthcare servers to connect to on-premise devices and perform maintenance operations, run system health checks, obtain logs, run updates, and other actions.
CyberMDX says the problem with these accounts is that use the same default credentials and that the credentials are public and can also be found online by threat actors, which can then abuse them to gain access to hospital imaging systems and harvest patient personal data.
GE’s effort to help customers
In an email interview on Monday, GE told ZDNet that they are “not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation,” however, this doesn’t mean the issue won’t be abused in the future.
To stay ahead of attackers and prevent future intrusions, GE has now embarked on a massive effort to help hospitals and other healthcare providers reconfigure all the devices where these accounts are present.
In a security alert the company plans to publish today, the company will advise customers to contact GE support staff to make an appointment and have GE personnel change the passwords for these hardcoded accounts.

This step is necessary because the accounts are invisible to end-users, and only GE staff can change their credentials.
“We are providing on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall,” a GE Healthcare spokesperson told ZDNet via email.
“A patch is not required to solve this issue,” GE said.
What’s vulnerable
According to CyberMDX, the company discovered hidden accounts that granted access to the following services and features:
FTP (port 21) -used by the modality to obtain executable files from the maintenance server.
SSH (port 22)
Telnet (port 23) -used by the maintenance server to run shell commands on the modality.
REXEC (port 512) -used by the maintenance server to run shell commands on the modality.
The list of vulnerable devices where these accounts are presents includes 104 GE Healthcare device models. The biggest and most well-known GE Healthcare product lines affected by this issue —which CyberMDX has been tracking under the codename of MDHexRay— includes:
Exploiting MDHexRay requires access to a hospital’s network
But according to CyberMDX, the good news is that exploiting any of these default credentials to gain access to a device requires that an attacker have access to a hospital’s internal network.
“We haven’t found cases where the devices were left exposed online,” Elad Luz, Head of Research at CyberMDX, told ZDNet in an email interview.
“Internal network access is required, […] something that unfortunately happens quite commonly, especially recently,” Luz said, referring to the growing number of security breaches and ransomware intrusions reported by healthcare organizations this year. More

Businesses which suffer a successful cyber attack are extremely likely to be targeted by cyber criminals again – even if they’ve taken all the correct steps in the aftermath of the initial attack.
The Crowdstrike Services Cyber Front Lines report uses analysis of real-world cases where the cybersecurity company has been brought in to help combat cyber attacks and it reveals that in over two thirds of of cases where there were outside intrusions onto the network, cyber criminals will attempt to break into the same network within one year.
According to Crowdstrike, 68% of companies encountered another “sophisticated intrusion attempt” within 12 months – although in each of these cases, the second attack was prevented from compromising or otherwise gaining access to the network.
While organisations might feel that if they’re hit by a cyber attack once – whether that’s malware, ransomware, business email compromise, phishing or something else – then they won’t be targeted again, if anything it’s the opposite that’s true.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
Cyber criminals come back probably because they are hoping that an organisation has not learned the lessons of the first attack and has perhaps even left the same vulnerabilities in place that allowed the initial cyber attackers to breach the network.
“It is tempting to think of intrusions as a lightning strike — a blinding flash that is unlikely to strike the same place twice. Unfortunately, intrusion attempts are rarely a one-time event,” said the report.

“Organisations that do not take the opportunity to apply lessons learned and to better prepare for their next encounter with an adversary may well suffer attacks that result in additional data loss, ransom demands, extortion or other monetary losses requiring costly legal fees, response services and perhaps even future business interruption,” the paper added.
It’s recommended that in the aftermath of a breach – once the network is secured with timely security updates, stronger passwords and multi-factor authentication – that organisations take the opportunity to learn from the incident and remain vigilant about what they can do to prevent future attacks and even plan how they’d react to another incident.
One way of doing this is to regularly perform penetration testing to find out where the vulnerabilities are on the network and if defenders can detect the intrusions, particularly when it comes to new kinds of attack or vulnerability.
“Holistic coordination and continued vigilance are key in detecting and stopping sophisticated intrusions,” said Shawn Henry, chief security officer and president of CrowdStrike Services.
“Because of this, we’re seeing a necessary shift from one-off emergency engagements to continuous monitoring and response. This will better enable incident response teams to help customers drastically reduce the average time to detect, investigate and remediate,” he added.
READ MORE ON CYBERSECURITY More

APT28, one of Russia’s military hacking units, was most likely responsible for hacking the email accounts of the Norwegian Parliament, the Norwegian police secret service (PST) said today.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The Norwegian Parliament (Stortinget) hack was disclosed earlier this year on September 1. At the time, Stortinget director Marianne said that hackers gained access to the Parliament’s email system and accessed inboxes for Stortinget employees and government elected officials.
No details about the hack were made public in September, but in a follow-up in October, Foreign Minister Ine Eriksen Søreide said that initial clues suggested that the attack was most likely carried out by Russian hackers, an accusation that Moscow immediately denied.
The next day, Russian Foreign Ministry spokeswoman Maria Zakharova dismissed the allegations as “a planned provocation” from Norwegian officials looking to “destroy bilateral relations” with “no evidence.”
Konstantin Kosachev, Head of the Russian Federation Council’s Committee on Foreign Affairs, also commented on the matter, calling Oslo’s accusations of Russian involvement in the Stortinget hack as “groundless.”
Norwegian secret service publishes its findings
But in a PST press release today, Norway’s cyber-security agency held the line with the government’s initial October accusations.
“The analysis shows that it is likely that the operation was carried out by a cyber actor referred to in open sources as APT28 and Fancy Bear,” PST officials said.

“This actor is linked to Russia’s military intelligence service GRU, more specifically their 85th Special Services Center (GTsSS),” they added.
PST officials said APT28 hackers breached Stortinget email accounts and tried to pivot to the Parliament’s internal networks but failed.
Investigators said Stortinget was to blame for the intrusion as officials and employees used weak email passwords and failed to use two-factor authentication to protect accounts.
Other details about the intrusions couldn’t be revealed due to the sensitive nature of the hack.
PST officials said the attack against its Parliament was part of a larger APT28 campaign that began in 2019 and which targeted multiple other targets, both inside Norway and abroad.
While the PST press release doesn’t mention it by name, the Norwegian cyber-security agency appears to be referring to a recent Microsoft report detail a recent shift in APT28 tactics.
According to this report, from September 2019, the APT28 group started using brute-force and credentials harvesting attacks on a larger scale and began targeting Office365 accounts in order to gain access to email accounts of more than 200 private and government organizations.
PST officials said that despite linking the attacks to known APT28 tactics, they weren’t able to gather enough evidence to file a formal indictment, as Germany did earlier this year against an APT28 member involved in the hack of its Parliament (the Bundestag) in 2015.
The APT28 group is also known in the cyber-security industry under other names, including Sofacy, Fancy Bear, Sednit, Strontium, and more. It is one of the most active Russian state-sponsored hacking groups, believed to have been involved in hacks against the Pentagon, the German Parliament, NATO, the DNC in 2016, the World Anti-Doping Agency, and many more. The group’s members are subject to many indictments and international sanctions.
“Although we have not seen the activity mentioned in [the PST] report, during the last years, we have researched several Sofacy operations targeting entities in Scandinavian countries,” Costin Raiu, Director of the Kaspersky Global Research & Analysis Team (GReAT), told ZDNet.
“It is important to mention the activities we observed are not recent and date back to 2016-2018,” Raiu added.
“Most recently, it would appear that Sofacy changed their TTPs, with a focus on credentials harvesting and then expanding access through cloud services and various network equipment, as opposed to their traditional endpoint infection ops. This makes them much harder to track and detect then before and especially way more difficult to attribute, due to lack of custom software artifacts,” the Kaspersky security researcher said.
Article updated shortly after publication with comments from Kaspersky. More

Image: Forescout
Security researchers have disclosed today 33 security flaws in four open-source TCP/IP libraries currently used inside the firmware of products from more than 150 vendors.

Forescout researchers estimate that millions of consumer and industrial-grade devices are currently impacted by the security flaws they discovered, and which they named Amnesia:33.
Impacted systems include anything you can think of, including smartphones, gaming consoles, sensors, system-on-a-chip (SOC) boards, HVAC systems, printers, routers, switches, IP cameras, self-checkout kiosks, RFID asset trackers, badge readers, uninterruptible power supplies, and all sorts of industrial equipment.
Amnesia:33 bugs reside in four open-source TCP/IP stacks
The wide impact of the Amensia:33 vulnerabilities can be explained by location of the security flaws — namely in four widely used open-source libraries: uIP, FNET, picoTCP, and Nut/Net.
Over the past two decades, device makers have often added one of these four libraries to the firmware of their devices to allow their products to support TCP/IP, today’s most widely used networking communications protocols.
Due to the crucial functions they provide to a device, Forescout says that if exploited, the 33 vulnerabilities would allow an attacker to perform a wide range of attacks, such as:
Remote code execution (RCE) to take control of a target device.
Denial of service (DoS) to impair functionality and impact business operations.
Information leak (infoleak) to acquire potentially sensitive information.
DNS cache poisoning attacks to point a device to a malicious website.
[embedded content]
However, exploiting any devices using one of the Amnesia:33 bugs depends on which devices a company uses and where the devices are deployed across its network.

For example, by their nature, routers can be exploited remotely, as they are usually connected to a company’s external interface. Other devices, like sensors and industrial equipment, might require that attackers gain access to a company’s internal network first.
Project Memoria: From Ripple20 to Amnesia:30
Forescout said it found the Amensia:33 bugs as part of a research project they started earlier this year, named Project Memoria.
Inspired by the discovery of the Ripple20 vulnerabilities in the Treck TCP/IP stack last year, Forescout’s Project Memoria analyzed the security of seven other TCP/IP stacks in search of similar dangerous vulnerabilities.

Image: Forescout
“To perform our analysis, we used a combination of automated fuzzing (white-box code instrumentation based on libFuzzer), manual analysis guided by variant hunting using the Joern code querying engine and a pre-existing corpus of vulnerabilities […] and manual code review,” the research team said today.
“In our study, we did not find any vulnerability in the lwIP, uC/TCP-IP, and CycloneTCP stacks.
“Although this does not imply that there are no flaws in these stacks, we observed that the three stacks have very consistent bounds checking and generally do not rely on shotgun parsing, one of the most common anti-patterns we identified,” researchers added.

Image: Forescout
But while the Amnesia:33 bugs were easy to discover and patch, the real work only now begins. Just like in the case of the Ripple20 vulnerabilities, device vendors will need to take the updated TCP/IP stacks and integrate them as firmware updates to their products.
While in some cases —like smartphones or networking equipment— this might be an easy task due to over-the-air update mechanisms included with some of these products, many other vulnerable devices don’t even ship with the ability to update the firmware, meaning some equipment will most likely remain vulnerable for the rest of their shelf life.
In these cases, companies will either need to replace devices, or deploy countermeasures to prevent the exploitation of any of the Amnesia:33 vulnerabilities.
However, Forescout says that even detecting these bugs is a monumental task, primarily because many devices these days don’t come with a software bill of materials, and companies won’t even know they are running systems that use one of the four TCP/IP stacks vulnerable to Amensia:33 attacks.
In other words, the smart device ecosystem remains a mess and will most likely remain a security disaster for years to come. According to Forescout, all of this comes down to bad coding practices, such as an absence of basic input validation and shotgun parsing, the primary issues at the heart of both the Ripple20 and Amnesia:33 vulnerabilities.
To learn more about the Amnesia:33 bugs, Forescout has provided a 47-page explainer as a PDF document. Shorter summaries are available on Forescout’s Amnesia:33 research page.
Below is a list of all the Amnesia:33 vulnerabilities, extracted from the 47-page PDF document.

Image: Forescout

Image: Forescout

Image: Forescout

Image: Forescout More