IoT, Endpoint/Device Security, Critical Infrastructure Security, Black Hat, Endpoint/Device Security, Endpoint/Device Security

After months-long TCP/IP project, Forescout still finding wobbly stacks

Town of Internet of Things in Hangzhou, China. Forescout found new vulnerabilities in a widely used industrial TCP/IP stack as part of their latest research. (Raysonho @ Open Grid Scheduler/Grid Engine/CC0 1.0)

Since the middle of last year, researchers at Forescount and other firms have discovered a host of new vulnerabilities in TCP/IP stacks. New research released Wednesday may show stacks that have not been specifically called out in research may not be effectively keeping up.

Forescout's Project Memoria has been publishing new vulnerabilities in a non-exhaustive list of commonly used TCP/IP stacks since December. Their research had previously identified more than 50 vulnerabilities in such stacks. JSOF published an additional 19 in June of last year. Forescout has routinely said that the problem stacks face is ambiguity in the written TCP/IP protocols leading to implementation errors.

The newest Project Memoria research, out Wednesday, adds 14 more vulnerabilities to the tally, all in InterNiche’s NicheStack. But the most glaring result, said Elisa Costante, vice president of research at Forescout, was that InterNiche was susceptible to the vulnerabilities found in past research.

"We see basically all the problems that we have seen so far in Project Memoria in one single stack, so that is ICN, issues like [our] Number:Jack [research] memory issues like [our[ Amnesia:33 [research], as well as DNS issues [like in Name:Wreck]," she said.

The new report, produced in conjunction with JFrog, details 14 vulnerabilities in NicheStack, including two scoring critical on the CVSS scale. The researchers have dubbed the package of vulnerabilities "Infra:Halt, and have been able to demonstrate remote code execution on vulnerable PLCs using the stack. ICS-CERT is expected to release an alert on Thursday.

NicheStack is widely used in industrial applications across a variety of vendors and has been spun off into other TCP/IP stacks. It is used, for example, in the Siemens 57 PLC, the most popular PLC in the world. A remedial Shodan query showed for "interniche" more than 6,000 results for the stack.

The vulnerabilities range across various components of the stack, and can lead to remote code execution, denial of service, data leakage, remote code execution and TCP spoofing.

Forescout has submitted potential clarifications to the protocols to prevent the vulnerabilities they've found and found again from being replicated by more developers. Since the problems they have discovered often appear to come from common ways of reading and interpreting the existing protocol, they are not limited to the vendors whose names explicitly appear in the reports.

"Our invitation to the developers of these stacks is not to wait for researchers to go and dig into the stack," Costante said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.