Industrial device vulnerabilities increase by 50% in some cases as vendors ignore warnings

Vulnerabilities disclosed in Project Memoria are affecting devices as diverse as medical equipment and building automation controllers

Project Memoria – the most extensive study to date of the security posture of TCP/IP stacks. It started from a collaboration with JSOF Research to understand the impact of Ripple20 and led to the discovery of almost 100 vulnerabilities in 14 TCP/IP stacks, divided into five phases: AMNESIA:33, NUMBER:JACK, NAME:WRECK, INFRA:HALT and NUCLEUS:13. 

Two years on from the initial Project Memoria disclosure, Forescout’s research team, Vedere Labs, has found that exposed devices running vulnerable services have decreased in some cases, but increased in others.  

The number of devices running NicheStack – the stack found vulnerable in INFRA:HALT, which allows for Denial of Service or Remote Code Execution primarily affecting operational technology (OT) and industrial control system (ICS) devices – has increased by almost 50% in the same two-year time frame observed for NUCLEUS:13.

NUCLEUS:13, which was published as the last phase of Project Memoria, revealed that the number of devices exposed on the internet running the Nucleus FTP server and RTOS had decreased by 13% and 25%, respectively, when compared to the release of NAME:WRECK, six months earlier.

Using the same queries on the Shodan search engine in August 2022, one year after first noticing the decline, there was a sharp decrease of exposed devices running the Nucleus FTP server. However, the number of devices running the Nucleus RTOS seems to have stabilised at around 1100-1200, which is still less than when Forescout started the research.

Two years on, it’s clear that Project Memoria is even more relevant today. It foreshadowed the persistent problems the industry is facing with supply chain vulnerabilities and why the recommended mitigation strategies provided with each disclosure can’t be ignored.

Since TCP/IP stacks are important supply chain components used by many software and device vendors, it’s no surprise that the vulnerabilities found during Project Memoria ended up affecting hundreds of different products, from network switches to VoIP phones to patient monitors to gas turbines. 

The research brings to light the long-term effects from three points of view: 

• The good: Project Memoria has led not only to fixes of individual issues but also to a body of work that provides guidance on how to avoid repeating the same mistakes. This body of work continues to influence further research.

• The bad: Some of these vulnerabilities are now exploited by threat actors; vendor response continues to be slow and, in many cases, vague.
• The ugly: The number of exposed devices running the vulnerable services disclosed by Project Memoria has decreased in some cases but remained stable or even increased in others, which shows that more attention must be put into network segmentation efforts.

Daniel Dos Santos, Head of Security Research at Forescout said, “Project Memoria came at a time when initiatives for understanding the complexity of software supply chains and how to tame that complexity with tools such as software bills of materials (SBOMs) and automated vulnerability disclosure were starting to gain traction. However, the vulnerabilities in Project Memoria will probably remain an unsolved problem for a long time, due to the fact that often no patches are available because vendors take a long time to publish them, and vulnerable devices continue to be exposed directly to the internet”.

Dos Santos continues, “One of the most important takeaways from the project is that simply identifying vulnerable devices is not enough if no further action can be taken. Mitigation measures such as device visibility, segmentation and exploit detection help with supply-chain vulnerabilities, and organisations must adopt security tools that allow for detection of threats and automated, orchestrated response”.