Author Topic: AMNESIA:33 - TCP/IP stacks uIP, FNET, picoTCP and Nut/Net  (Read 3489 times)

0 Members and 1 Guest are viewing this topic.

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7697
  • Country: de
  • A qualified hobbyist ;)
AMNESIA:33 - TCP/IP stacks uIP, FNET, picoTCP and Nut/Net
« on: December 08, 2020, 01:17:09 pm »
Critical vulnerabilities in TCP/IP stacks uIP, FNET, picoTCP and Nut/Net: https://www.forescout.com/company/blog/amnesia33-forescout-research-labs-finds-33-new-vulnerabilities-in-open-source-tcp-ip-stacks/ (beware of the marketing)
 

Offline EasyGoing1

  • Regular Contributor
  • *
  • Posts: 50
  • Country: us
Re: AMNESIA:33 - TCP/IP stacks uIP, FNET, picoTCP and Nut/Net
« Reply #1 on: February 25, 2021, 01:49:35 pm »
These days, Im skeptical of statements like this

Generally, these vulnerabilities can be exploited to take full control of a target device (RCE)

Who's still out there making operating systems where the network layer processes are given root-level access? WHO? Cause they should be shot whoever they are.
 

Offline andersm

  • Super Contributor
  • ***
  • Posts: 1198
  • Country: fi
Re: AMNESIA:33 - TCP/IP stacks uIP, FNET, picoTCP and Nut/Net
« Reply #2 on: February 25, 2021, 09:43:28 pm »
Who's still out there making operating systems where the network layer processes are given root-level access?
The listed stacks are pretty much all aimed at microcontrollers.

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7697
  • Country: de
  • A qualified hobbyist ;)
 

Online ejeffrey

  • Super Contributor
  • ***
  • Posts: 3688
  • Country: us
Re: AMNESIA:33 - TCP/IP stacks uIP, FNET, picoTCP and Nut/Net
« Reply #4 on: April 14, 2021, 01:10:21 am »
These days, Im skeptical of statements like this

Generally, these vulnerabilities can be exploited to take full control of a target device (RCE)

Who's still out there making operating systems where the network layer processes are given root-level access? WHO? Cause they should be shot whoever they are.

There are no operating systems of any commercial or practical use where remote code execution in the network stack is not the highest level of security vulnerability.  Even if you have process isolation from the network code it has sufficiently privileged to be game over from a security standpoint.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf