Popular OT/IoT Router Firmware Images Contain Outdated Software and Exploitable N-Day Vulnerabilities Affecting the Kernel
2024年8月7日 - 12:01AM
ビジネスワイヤ(英語)
New Research from Forescout and Finite State
Examine the State of the Software Supply Chain in OT/IoT
Routers
Forescout Technologies, Inc., a global cybersecurity leader, and
Finite State, an industry leader in software supply chain security,
announced today the release of a new report, “Rough Around the
Edges,” that analyzes the state of software supply chain in OT/IoT
routers, which are essential for connecting critical devices across
various environments to the internet. The research revealed that OT
and IoT cellular routers, and others used in small offices and
homes, have outdated software components that are linked to
existing (“n-day”) vulnerabilities. “Rough Around the Edges” found
that popular OT/IoT router firmware images had an average of 20
exploitable n-day vulnerabilities affecting the kernel, with
widening security gaps.
This press release features multimedia. View
the full release here:
https://www.businesswire.com/news/home/20240806879361/en/
Rough Around the Edges, new research into
the state of the software supply chain in OT/IoT routers by
Forescout Research - Vedere Labs and Finite State. (Graphic:
Business Wire)
“With the convergence of IoT and OT, threats targeting connected
devices are increasing exponentially due to cybercriminal botnets,
nation-state APT’s and hacktivists,” said Daniel dos Santos, Head
of Research at Forescout Research – Vedere Labs. “Our recent
Sierra:21 research found tens of thousands of devices with outdated
firmware are exposed online, easily accessible to hackers.
Following the publication of Sierra:21, we wanted to understand the
state of software components in OT/IoT network devices from other
vendors, and what threat actors might uncover if they looked more
closely at this software supply chain. Instead of finding new
vulnerabilities, our goal was to look at what is already known
(“n-day”), but still present in the latest firmware releases of
routers.”
Read the blog: Firmware Vulnerabilities Run Rampant in Cellular
Routers
Forescout Research and Finite State analyzed five firmware
images from popular OT/IoT router vendors: Acksys, Digi, MDEX,
Teltonika, and Unitronics. The “Rough Around the Edges” report
includes the following key findings from this analysis:
- OpenWrt is everywhere. Four of the five firmware
analyzed run operating systems derived from OpenWrt, an open-source
Linux based OS for embedded devices. But those four firmware images
use heavily modified versions of the base operating system, either
mixing and matching individual component versions with a base
version or developing their own in-house components.
- Software components are often outdated. The analysis
identified an average of 662 components and 2,154 findings between
known vulnerabilities, weak security posture, and potential new
vulnerabilities on each firmware image. The research singled out 25
common components and noticed that the average open-source
component was five years and six months old, and four years and
four months behind the latest release. Even the most recent
firmware images do not use the latest releases of open-source
components, including critical components such as the kernel and
OpenSSL.
- Known vulnerabilities abound. On average, firmware
images had 161 known vulnerabilities on their most common
components: 68 with a low or medium CVSS score, 69 with a high
score, and 24 with a critical score. Additionally, the firmware
images had an average of 20 exploitable n-days affecting the
kernel.
- Security features are lacking. On average, 41% of
binaries across firmware images use RELRO, 31% use stack canaries,
65% use NX, 75% use PIE, 4% use RPath, and 35% have debugging
symbols. The averages can be misleading as the differences between
firmware images are very large. Overall, all five firmware images
we examined are lacking when it comes to binary protection
mechanisms.
- Default credentials are going away. Even though every
firmware came with default credentials, they were often uniquely
generated, and the user was forced to change them when configuring
a device, making them not exploitable under normal
circumstances.
- Custom patching is a problem. The analysis found
examples of vendors applying their own patches to known
vulnerabilities and introducing new issues, as well as patching
vulnerabilities without incrementing the versions of components,
creating confusion for the user of a device to understand what is
vulnerable or not.
“The ‘Rough Around the Edges’ report reveals a troubling trend
of outdated software components in OT/IoT routers, with many
devices running modified versions of OpenWrt that include known
vulnerabilities,” said Larry Pesce, Director of Product Research
and Development at Finite State. “These findings highlight the
critical importance of addressing software supply chain risks, as
our analysis identified an average of 161 known vulnerabilities per
firmware image, including 24 with critical scores. By leveraging
our platform’s capabilities, organizations can gain deep insights
into their software’s vulnerabilities and outdated components,
allowing them to proactively address risks and protect their
products and customers from evolving cyber threats.”
The research found positive correlations between the age of
components, the number of known vulnerabilities, and binary
hardening practices among vendors. As expected, firmware with newer
components tends to have fewer vulnerabilities and better binary
protections.
"As we observe an unprecedented increase in both managed and
unmanaged devices connecting to the Internet—extending into
critical infrastructure sectors and beyond—the need for robust
cybersecurity measures has never been more urgent,” said Forescout
CEO, Barry Mainz. “To effectively mitigate risks in an environment
increasingly dominated by Operational Technology (OT) and Internet
of Things (IoT), we need a comprehensive asset inventory that
identifies crucial details through both passive and active methods.
Integrating this data with Software Bills of Materials (SBOMs)
helps us deliver targeted risk information and enforce security
measures essential for protecting our digital infrastructure."
Join the lead researchers from Forescout and Finite State to
delve into the risks associated with OT/IoT routers and discover
effective strategies for mitigation.
- Register now for the webinar "Rough Around the Edges: The State
of OT/IoT Routers in the Software Supply Chain." Date: September
18, 2024 at 11:00 AM ET / 8:00 AM PT.
- Download the report: “Rough Around the Edges – The State of
OT/IoT Routers in the Software Supply Chain”
- Check out the blog: New Report from Finite State and Forescout
Uncovering the Hidden Vulnerabilities in OT/IoT Routers
About Forescout
The Forescout cybersecurity platform provides complete asset
intelligence and control across IT, OT, and IoT environments. For
more than 20 years, Fortune 100 organizations, government agencies,
and large enterprises have trusted Forescout as their foundation to
manage cyber risk, ensure compliance, and mitigate threats. With
seamless context sharing and workflow orchestration across more
than 100 full-featured security and IT product integrations,
Forescout makes every cybersecurity investment more effective.
Forescout Research – Vedere Labs is the industry leader in
device intelligence, curating unique and proprietary threat
intelligence that powers Forescout’s platform.
About Finite State
Finite State is the leading provider of software risk management
solutions for connected devices and software supply chains. The
Finite State platform is a central hub for device security,
delivering continuous visibility into potential software risks.
Armed with access to over two billion data points, customers
receive actionable insights, encompassing SBOMs, vulnerability
data, and remediation guidance. This proactive strategy streamlines
the mitigation of application security (AppSec) and product risks,
ensuring the safeguarding of critical sectors like consumer IoT,
healthcare, automotive, manufacturing, and energy against cyber
threats. For more information, please visit
https://finitestate.io/
View source
version on businesswire.com: https://www.businesswire.com/news/home/20240806879361/en/
Media Contacts RH Strategic for Forescout
forescoutpr@rhstrategic.com
Carmen Harris carmen.harris@forescout.com