Security researchers have discovered 33 vulnerabilities in four open-source libraries used by millions of connected devices that make them vulnerable to hacking.

Detailed today by researchers at Forescout Technologies Inc., the vulnerabilities, dubbed “Amnesia:33,” affect source TCP-IP stacks uIP, FNET, picoTCP and Nut/Net. The vulnerabilities primarily cause memory corruption, allowing attackers to compromise devices, execute malicious code, perform denial-of-service attacks and steal sensitive information.

Vulnerabilities, particularly in consumer “internet of things” devices, are not new, but where the Amnesia:33 vulnerabilities differ is in the sheer scope of exposed devices. Devices from more than 150 vendors are believed to used the open-source libraries with millions of devices — including not only consumer IoT devices but also embedded components such as systems on a chip, connectivity modules, OEM boards, operational tech including access control, IP cameras, protocol gateways and heating, ventilation and air conditioning systems, and network and office technology such as printers, routers and servers potentially affected.

Exactly how many devices are affected is said to be “difficult to assess” because the vulnerable stacks are widely spread, highly modular and incorporated in undocumented, deeply embedded subsystems. For the same reason, these vulnerabilities are also very hard to eradicate.

The vulnerabilities themselves are described as coming about because of bad software development practices such as an absence of basic input validation.

The discovery is being treated seriously at a government level, and the U.S. Department of Homeland Security Cybersecurity & Infrastructure Agency issued an ICS Advisory. According to CISA, some of the companies affected have already released patches for the vulnerabilities, including Devolo AG, EMU Electronic AG, FEIG Electronics Inc., Genetec Inc., Harting Inc., Hensoldt AG, Microchip Technology Inc., Nontech, NT-Ware Systemprogrammierungs-GmbH, TagMaster AB, Siemens AG, Uniflow and Yanzi Networks AB.

Today’s provides yet more evidence that it’s open season on open source, Ilkka Turunen, global director of solutions architecture at DevOps automation firm Sonatype Inc., told SiliconANGLE. “Modern software is no longer built from scratch but by using prefabricated open source components,” he said. “But with 11% of components known to have a documented vulnerability, it’s clear that today’s findings are indicative of a much bigger problem — companies aren’t doing enough to secure their software supply chains.”

To mitigate these issues, he added, it’s critical that businesses have a software bill of materials in place for every release. “Acting like a list of ingredients that certifies the software supply chain, a bill of materials enables companies to quickly determine whether a vulnerable software component is in a device, and take steps to remediate the issue,” he said.

Boris Cipot, senior sales engineer at electronic design automation company Synopsys Inc., noted that IoT users need to be aware that many of the devices on the market and used in their homes will or have already passed the maintenance guarantee period offered by the manufacturer.

“In other words, the difficulty is in ensuring that devices are patched, particularly for any low cost/high volume product,” he said. “This same concern also applies to license conflict issues that may surface in the software. Therefore, manufacturers of such products have to put extra energy into getting it right along all dimensions before release.”

Image: Forescout