In 2020, Forescout launched Project Memoria – the most extensive study of security posture of TCP/IP stacks. It started from collaboration with JSOF Research to understand the impact of Ripple20 and led to discovery of almost 100 vulnerabilities in 14 TCP/IP stacks, divided into five phases: AMNESIA:33, NUMBER:JACK, NAME:WRECK, INFRA:HALT and NUCLEUS:13.
What did Forescout’s report say?
Two years later after the initial Project Memoria was disclosed, Forescout’s research team, known as Vedere Labs, has found that exposed devices running vulnerable services have decreased in some cases, but increased in others. These were some of the findings.
The reported number of devices running NicheStack – the stack that was found vulnerable in INFRA:HALT allows for two things; Denial of Service or Remote Code Execution. This primarily affects operational technology(OT) and industrial control system(ICS) devices – which has increased by almost 50% in the same two-year time frame observed for NUCLEUS:13.
NUCLEUS:13, which was published as the last phase, revealed that the number of devices exposed on the internet running the Nucleus FTP server and RTOS had decreased by 13% and 25%, respectively, when compared to the release of NAME:WRECK, six months earlier.
Using the same queries on the Shodan search engine in August 2022, one year after first noticing the decline, there was a sharp decrease of exposed devices running the Nucleus FTP server. However, the number of devices running the Nucleus RTOS seems to have generally stabilised at around 1100-1200, which is still less than when Forescout started the research.
Two years later, it is clear that Project Memoria is even more relevant today. It foreshadowed persistent problems the industry is facing with supply chain vulnerabilities and why the recommended mitigation strategies provided with each disclosure can’t be ignored.
Since TCP/IP stacks are crucial supply chain elements used by software and device vendors, it’s no surprise that vulnerabilities found during Project Memoria ended up affecting hundreds of various products, from network switches to VoIP phones, patient monitors to gas turbines.
What were the key findings from Project Memoria?
The research brings to light the long-term effects from three particular points of view:
- The good: Project Memoria has led not only to fixes of individual issues but also to a body of work that provides guidance on how to avoid repeating the same mistakes. This body of work continues to influence further research.
- The bad: Some of these vulnerabilities are now exploited by threat actors; vendor response continues to be slow and, in many cases, vague.
- The ugly: The number of exposed devices running the vulnerable services disclosed by Project Memoria has decreased in some cases but remained stable or even increased in others, which shows that more attention must be put into network segmentation efforts.
Daniel Dos Santos, Head of Security Research at Forescout said, “Project Memoria came at a sensitive time when initiatives for understanding the complexity of software supply chains and how to tame that complexity with tools such as software bills of materials (SBOMs) and automated vulnerability disclosure were starting to gain traction across the industry.”
“However, the vulnerabilities in Project Memoria will probably remain an unsolved problem for a while, due to the fact that often no patches are available because vendors take a long time to publish them, and vulnerable devices continue to be exposed directly to the internet”.
Dos Santos continues, “One of the most important takeaways from the project by Forescout is that simply identifying vulnerable devices is not enough if no further action can be taken aftetwards. Mitigation measures such as device visibility, segmentation and exploit detection help with supply-chain vulnerabilities, and organisations around the world must adopt security tools that allow for detection of threats and automated, orchestrated response”.