Amnesia:33 Is a New Set of TCP/IP Vulnerabilities Affecting Millions of IoT Devices

Security researchers have identified a slew of vulnerabilities collectively dubbed Amnesia:33, affecting the TCP/IP stack, which in turn impacted millions upon millions of IoT devices across the world.

The network stacks govern much of the Internet and local connectivity, so it’s not really surprising that any vulnerabilities found will affect so many connected devices. This is not the first, or the last, time that multiple vulnerabilities affect the TCP/IP stacks, but knowing about them is a step forward.

The last major set of problems discovered in the same software was dubbed Ripple20 in 2020. Security researchers from Forescout Research Labs, with the help of universities and other organizations, launched the Project Memoria program with the goal of identifying problems in the TCP/IP stacks.

Amnesia:33 reflects the number of identified vulnerabilities. Most are unique, with minimal overlap from one CVE to another.

“The most affected components in our sample of vulnerabilities are the DNS, TCP and IPv4/IPv6 sub-stacks, followed by DHCP, ICMP/ICMPv6, ARP and others,” say the researchers. “The only vulnerability that stands out is CVE-2020-11904 (part of Ripple20), which was discovered within the memory allocator component used by the Treck stack. Most of the vulnerabilities in AMNESIA:33 impact the DNS, IPv6 and TCP components.”

Finding a vulnerability and exploiting it are different things, but such actions are possible depending on the severity. The researchers explain that the combined lack of exploit mitigations and memory protection in embedded systems tends to render exploitation significantly easier than on modern IT devices.

The number of affected devices is impossible to estimate correctly, but they seem to number in the millions. Because the hardware and software are mixed and matched from one device to another, the impact of these vulnerabilities is not clear. The only hope is that companies become aware of the vulnerabilities and start releasing patches as soon as possible. Unfortunately, this process will take quite a while and, like Ripple20, these newly discovered problems are here to stay for a very long time.