Amnesia:33 – Vulnerability in TCP/IP stack put many IoT devices at risk

[German]Security researchers have found 33 vulnerabilities in open source implementations of the TCP/IP stack. These endanger the device security of around 150 manufacturers. This applies to all devices connected to the Internet and ranges from medical devices to many IoT systems. Here is some information about the vulnerability called Amnesia:33.


What is Amnesia:33?

AMNESIA:33 is a collection of 33 vulnerabilities found by security researchers at Foresout Research Labs in four open source TCP/IP stacks (uIP, PicoTCP, FNET and Nut/Net). These open source TCP/IP stacks are used in millions of devices around the world that are connected to the Internet. In other words: These devices are currently at risk.

Amnesia:33 - IoT-Sicherheit
(Source: Pexels – free use)

The security researchers published a summary on Security Boulevard on December 7, 2020 and in this blog post (little detail, but rather advertising their security training). The Security Boulevard article links to a technical report, but it seems that it has not yet been published or withdrawn. The details of these vulnerabilities will be presented at Black Hat Europe 2020 (Dec 7-10, 2020). The security researchers have published a summary on Security Boulevard:

  • AMNESIA:33 affects seven different components of the stacks (DNS, IPv6, IPv4, TCP, ICMP, LLMNR and mDNS). Two vulnerabilities in AMNESIA:33 affect only 6LoWPAN wireless devices.
  • AMNESIA:33 has four categories of potential impact: Remote Code Execution (RCE), Denial of Service (DoS via crash or infinite loop), Infoleak, and DNS cache poisening. Four of the vulnerabilities allow remote code execution and are considered critical.

Security researchers write that these vulnerabilities can be exploited on networked devices to take full control of a target device (RCE), compromise its functionality (DoS), obtain potentially sensitive information (Infoleak), or inject malicious DNS records to point a device to a domain controlled by the attacker (DNS cache poisoning).

The AMNESIA:33 vulnerabilities were discovered by Forescout Research Labs as part of the Memoria project. This is an initiative that aims to provide the cyber security community with the largest study of TCP/IP stack security.

Devices from at least 150 manufacturers potentially affected

The security researchers write: However, depending on how a TCP/IP stack is used, the different devices may be affected differently by the vulnerabilities. The experts estimate that more than 150 vendors and millions of devices are probably vulnerable to AMNESIA:33.


The security researchers at Foresout Research Labs have communicated their findings to the coordinating agencies (such as ICS-CERT and CERT/CC) who have contacted the identified vendors. Some vendors have already confirmed the vulnerabilities and issued their patches, but some are still under investigation.

The widespread nature of these vulnerabilities means that many organizations around the world could be affected by AMNESIA:33. Organizations that fail to mitigate this risk leave open doors for attackers to use IT, OT and IoT devices throughout their organization. In the article here, the security researchers go into the risks in more detail and make suggestions on how users can mitigate the vulnerabilities in the devices. For private users, only security updates, if available, remain to be installed. Companies and organizations have some additional options such as network segmentation, blocking IPv6 traffic, using internal DNS servers, monitoring and filtering TCP/IP packets to reduce risk.

Addendum: The security researchers has revealed some more details on Blackhat conference. Wired has here more details.

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security, Software and tagged , , . Bookmark the permalink.

3 Responses to Amnesia:33 – Vulnerability in TCP/IP stack put many IoT devices at risk

  1. Dat Bundesferkel says:

    Nicht sicher, ob Du es schon weißt, aber die deutsche Präsenz Deiner IT Seite schmeisst beim Aufruf nur noch einen Fehler um sich.

    Das Skript konnte nicht fehlerfrei ausgeführt werden.
    Bitte prüfen Sie Ihr Error-Logfile auf die genaue Fehlermeldung. Dies finden Sie im KIS unter "Administration > *IHR PRODUKT* > *IHR PAKETNAME* > Logfiles". Weitere Informationen finden Sie auch in unseren FAQ.
    The script could not be executed correctly.
    Please refer to your error log for details about this error. You find it in your KIS under the item "Administration > *YOUR PRODUCT* > *YOUR PACKAGE* > Logfiles". Further information can also be found in our FAQ.

    Hätte Dich ja lieber via Impressum kontaktiert, aber irgendwie ist der Wurm drin bei Dir.

    Lösche den Beitrag bitte, falls überflüssig / bereits bekannt / erledigt. Danke. :)

    • Dan Sem says:

      Die Fehlermeldungen kann ich (zumindest Stand jetzt) nicht bestätigen.

    • guenni says:

      Ist klar – ich hatte technische Probleme im Blog und da kamen die Anzeigen.
      For my English readership: I've had some technical issues with my WordPress package, so the last hours the blogs droped some error messages from time to time. But I assume, the issues are solve.

      The nasty background: Last week (Nov. 30) a WordPress plugin (WP statistics) has forced my web server to it's knees. I managed to fix it.

      And on Dec. 7, suddenly my Windows Live Writer wasn't able to publish in one of my blogs. I guess, a WordPress plugin (really simple ssl) update has blocked access to the publishing interface (the xmlrpc.php 301 moved permanently error). Took me some time, to fix that.

      Now some of these plugins are gone – I've implemented it in another way.

Leave a Reply

Your email address will not be published. Required fields are marked *