For years, the NSA has been telling us that firewalls are worthless as defense against targeted nation-state attacks. Now we finally have some examples of why this is true.
On December 7, ForeScout announced that they had identified a new set of software flaws—known collectively as Amnesia:33—that impact the TCP/IP stacks in devices from as many as 15 vendors. This follows an earlier announcement from JSOF-Tech of a similar set of vulnerabilities, known as Ripple20, found in the Treck IP stack, which is widely used in IoT devices.
This summary is from the JSOF announcement:
“Ripple20 vulnerabilities are unique both in their widespread effect and impact due to supply chain effect and being vulnerabilities allowing attackers to bypass NAT and firewalls and take control of devices undetected, with no user interaction required. This is due to the vulnerabilities being in a low-level TCP/IP stack, and the fact that for many of the vulnerabilities, the packets sent are very similar to valid packets, or, in some cases are completely valid packets. This enables the attack to pass as legitimate traffic.”
How pervasive is this issue? Intel uses the Treck TCP/IP stack for their management services (for example, the Converged Security and Manageability Engine, the Trusted Execution Engine, and Server Platform Services), which means that any system that exposes these services to a network is potentially vulnerable.
The Amnesia:33 vulnerabilities exist in several additional TCP/IP stacks, as described in the ForeScout announcement:
“The flaws impact a diverse range of embedded systems, ranging from medical devices, industrial control systems, routers and switches – virtually anything that is running a vulnerable TCP/IP stack. The largest affected categories of affected devices are enterprise and consumer IoT devices.”
Owl Cyber Defense products utilize RedHat and CentOS IP stack libraries that are not affected by these vulnerabilities. Many of our products use Intel chips, but we have confirmed that our CDS products are not vulnerable. Other Owl products do not utilize the impacted services, though it is theoretically possible to turn these on if the BIOS is improperly configured. Owl advises its customers to carefully follow the configuration guidance provided with their products.
Several of the Ripple20 and Amnesia:33 vulnerabilities are exploited using perfectly acceptable packets, but with manipulated fragmentation or values in fields that aren’t correct (i.e., length fields of zero). Firewalls do not typically detect issues like this. Even stateful inspection involves only looking at a series of packets to make sure the session is being maintained properly. Firewall vendors will (or have) come up with checks for this type of traffic—but it will always be a cat-and-mouse game, in which the attack has to be detected and a check added to prevent it.
Owl takes a different approach. All of our security products provide a protocol break with enforced domain separation. This means that protocols are terminated on each side and only the payload is transferred over the hardware separation. By doing this, any inappropriate values in the packet headers, or malicious packet fragmentation, do not propagate. In addition, our diode products completely prevent return traffic, which makes exploiting a vulnerability much more difficult.
As data passes across an Owl data diode or cross domain solution, protocols are terminated by independent proxy servers on each side of the device. Each side of the device has an independent CPU, and the only connection between the two CPUs is via a hardware assisted diode.
This approach means that potential attacks are further isolated—even if the hardware had an exploitable vulnerability, the result would be access to one side’s proxy server. If the destination is hacked, there’s no way to get packets over to the source through the one-way diode. If the source side is hacked, then the attacker faces the challenge of throwing packets through the diode that will compromise the receive proxy server with no response.
These scenarios demonstrate the importance of Owl’s hardware-enforced protocol break. Owl doesn’t use a stock IP stack on our diode modules, so the same hack used to pown one side won’t work on the other. This is completely different from a conventional firewall or smart switch where all of the logic runs on a single CPU. Once that CPU has been exploited, all protection mechanisms are likely subverted.
Owl has been building security products for defense, intelligence, and commercial customers for more than 20 years. We specialize in hardware enforced systems with strong filtering that are designed to withstand nation-state level attacks. Our products have been evaluated against the most stringent requirements for cross domain solutions, including recently-updated NSA requirements for hardware separation for all high-threat networks.
Because of our dedication to hardware enforced security and maximum assurance—and without prior knowledge of these vulnerabilities—Owl products mitigate the Ripple20 and Amnesia:33 vulnerabilities. In fact, our products fully address the mitigation strategies suggested by JSOF:
- Minimize network exposure for embedded and critical devices, keeping exposure to the minimum necessary, and ensuring that devices are not accessible from the Internet unless absolutely essential.
- Segregate OT networks and devices behind firewalls and isolate them from the business network.
- Enable only secure remote access methods.
- Block anomalous IP traffic.
- Block network attacks via deep packet inspection, to reduce risk to your Treck embedded TCP/IP-enabled devices.