Forescout announces completion of its Project Memoria, but more work remains to be done

Forescout Research Labs announced the completion of its Project Memoria that identified almost 100 new vulnerabilities across 14 TCP/IP stacks since May last year. Its researchers identified that the vulnerability problem with TCP/IP stacks was much deeper and much more widespread than initial research had suggested.

Project Memoria began with the mission of providing the cybersecurity community with an extensive study to date of TCP/IP stacks security. Forescout researchers collaborated with industry peers, universities, and research institutes to analyze common mistakes associated with vulnerabilities in TCP/IP stacks, identify the threats they pose to the extended enterprise, and determine best practices to mitigate the risk.

“Our researchers immediately understood that the problem with TCP/IP stacks was much deeper and much more widespread than initial research had suggested,” Forescout said in its report.

“Vulnerable TCP/IP stacks can be found in our IT, IoT, IoMT and OT devices. Every industry is impacted, from government to healthcare, from manufacturing to critical infrastructures,” Elisa Constante, vice president of research at Forescout, wrote in a LinkedIn post on Friday. “Some devices will be patched. Many will not. Some devices will be protected in properly segmented private networks, many will stay exposed to the internet. As per now, we do not know of any active exploit activities involving Project Memoria’s vulnerabilities, but do we need to wait for something bad to happen before understanding that we need to secure every single device in our networks?” she added.

There are a total of 97 vulnerabilities under Project Memoria, including 19 in Ripple20 found by JSOF, 33 in AMNESIA:33, nine in NUMBER:JACK, nine in NAME:WRECK found together with JSOF, 14 in INFRA:HALT found together with JFrog, and 13 in NUCLEUS:13 found together with Medigate, the report said.

These vulnerabilities affect 14 TCP/IP stacks, including the CycloneTCP, FNET, FreeBSD, IPnet, MPLAB Net, NetX, NicheStack, NDKTCPIP, Nucleus NET, Nut/Net, picoTCP, Treck, uC/ TCP-IP, and uIP. lwIP remains the only stack that Forescout analyzed and did not find an issue in it.

The Forescout report said that since TCP/IP stacks have been around for a long time, and they have a variety of decades-old vulnerabilities, which often affect different versions of a stack. The newest stack is seven years old, while the oldest is 28. The average age is 18.85 years – almost two decades. “Clearly, these stacks were originally designed and implemented at a time when cybersecurity was not as big of a concern as it is today,” the report added.

Although these stacks are still actively developed, it is common that some vulnerabilities that have been patched by the stack vendor do not make it all the way down the supply chain to all the affected devices.

One of the main reasons for patching not making its way down the supply chain was ‘silent patching,’ which refers to the practice of fixing a vulnerability without public documentation and without assigning a CVE ID, Forescout said. This has always been common practice among software vendors and is slowly changing, with some vendors becoming more open to assigning CVE IDs to issues that are internally discovered or that affect older versions of their software, it added.

Project Memoria shows two things about silently patched vulnerabilities. Firstly, they exist in very critical supply-chain software, so there are millions of devices out there that have been vulnerable for a long time without even their vendors knowing about it because other vendors chose to remain silent. Secondly, silently patching a vulnerability does not mean that nobody will get to know about it, as these issues tend to be rediscovered again and again.

Another challenge that Forescout found was that vendors were often unresponsive. In the past year, Project Memoria helped many device vendors understand the impact of the vulnerabilities, review patches, and help asset owners identify and mitigate the risks around vulnerable yet un-patched devices.

“Although we expected that identifying vulnerable vendors, products and models would be a challenge, we were surprised to realize how difficult it is to keep track of vendors’ responses. Often, we were surprised to find out that a vendor issued a security advisory months after our public disclosure, which we only found out about because we were proactively searching,” the report said.

As Project Memoria addressed supply chain vulnerabilities, it inherently connected to the critical elements of the Software Bill of Materials (SBOM). As the project advanced, Forescout researchers carried out critical work on vulnerabilities affecting other important supply-chain components, such as DNS forwarders (DNSpooq) and RTOSes (BadAlloc). At the same time, attackers have realized that compromising supply chains is an extremely effective way of targeting organizations.

The past year has seen devastating supply chain attacks, for instance, on SolarWinds and Kaseya to infiltrate hundreds of organizations. ENISA has recently published an extensive analysis of the threat landscape for supply chain attacks, and researchers are now analyzing several system administration tools that could be leveraged in similar attacks.

The cybersecurity community has reached a point where both industry and government recognize the complexity of software supply chains and the importance of SBOMs to fix the supply chain vulnerability problem, the report said. Luckily, there is important progress being made on that. “We are proud to have been a small part of what made progress possible by highlighting and bringing awareness to an important topic,” it added.

“Concluding Project Memoria does not mean that our work is done, either for TCP/IP stacks or other foundational components of the connected device ecosystem. As we did in previous studies, we invite other researchers and device vendors to continue this work and collaborate with us in future research,” Forescout added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.