ISNs in Nine TCP/IP Stacks Could be Abused to Hijack Connections to Vulnerable Devices


According to new research from Forescout, inappropriately created ISNs (Initial Sequence Numbers) in nine TCP/IP stacks could be exploited to hijack connections to vulnerable computers.

TCP/IP stacks are essential components that include a wide variety of computers, IoT and OT included, with simple network access and that process all incoming frames and packets.

Numerous high impact exploits, including the Ripple20 and URGENT/11 glitches, have already been publicly disclosed affecting the TCP/IP stacks. Forescout’s researchers outlined 33 new vulnerabilities in four TCP/IP open source stacks in December last year, collectively dubbed AMNESIA:33.

This time, digging into 11 stacks, the researchers found that nine of them failed to produce ISNs properly, leaving ties vulnerable to attacks. The vulnerabilities are collectively known as NUMBER:JACK and affect cycloneTCP, FNET, MPLAB Net, Nucleus NET, Nut/Net, picoTCP, uIP, uC/TCP-IP, and TI-NDKTCPIP (Nanostack and lwIP are not impacted).

To ensure the uniqueness of every TCP link between two machines, and to avoid collisions and interference with the connection, ISNs must be created randomly. If an attacker is able to guess an ISN, though, they may hijack an existing link, close a link (denial of service), or even fake a new one.

Eight of the reported problems bear a CVSS score of 7.5, namely CVE-2020-27213 (Nut/Net 5.1), CVE-2020-27630 (uC/TCP-IP 3.6.0), CVE-2020-27631 (CycloneTCP 1.9.6), CVE-2020-27632 (NDKTCPIP 2.25), CVE-2020-27633 (FNET 4.6.3), CVE-2020-27634 (uIP 1.0, Contiki-OS 3.0, Contiki-NG 4.5), CVE-2020-27635 (PicoTCP 1.7.0, PicoTCP-NG), and CVE-2020-27636 (MPLAB Net 3.6.1), while the ninth has a CVSS score of

“However, depending on, for example, the use of encrypted sessions and the sensitivity of data exchanged, the actual severity of a particular device and TCP connection may vary,” Forescout’s researchers notice.

In millions of embedded applications, including IT storage systems, medical devices, remote terminal units (RTUs), and wind turbine monitoring systems, among others, insecure stacks have been deployed.

Administrators are advised to recognise devices running insecure TCP/IP stacks (Forescout has published a discovery-aided open-source script), apply usable patches where possible, apply network segmentation to minimize threats, and use end-to-end cryptographic solutions built on top of the network layer (IPsec).

In October last year, the found vulnerabilities were posted to the affected suppliers and maintainers, and most of them have already released bug-fixing fixes, except for Nut/Net developers, who are still working on a workaround, and uIP developers, who have never responded to Forescout.

Unfortunately, because of the resource limitations of certain embedded systems, this form of weakness is often impossible to address indefinitely, and what is called a stable PRNG today can be considered vulnerable in the future. The researchers conclude that some stack developers prefer to rely on system integrators to enforce their own ISN generation, which is a reasonable choice, but that means that not all devices using a patched stack will be immediately protected.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.