CERT-In Advisory
CIAD-2020-0087
Multiple Vulnerabilities in Embedded TCP/IP stacks
Original Issue Date: December 24, 2020
Severity Rating: High
Systems Affected
- uIP-Contiki-OS (end-of-life [EOL]), Version 3.0 and prior
- uIP-Contiki-NG, Version 4.5 and prior
- uIP (EOL), Version 1.0 and prior
- open-iscsi, Version 2.1.12 and prior
- picoTCP-NG, Version 1.7.0 and prior
- picoTCP (EOL), Version 1.7.0 and prior
- FNET, Version 4.6.3
- Nut/Net, Version 5.1 and prior
Overview
Multiple Vulnerabilities have been reported in open source TCP/IP stacks that could be exploited by a remote attacker to perform denial of service (DoS) attack, execute arbitrary code or obtain sensitive information on the targeted system.
Description
These vulnerabilities exist in four open source TCP/IP stacks (uIP, FNET, picoTCP and Nut/Net) due to memory corruption in lightweight software implementations in Real Time Operating Systems (RTOS) and IoT devices. A remote unauthenticated attacker could exploit this vulnerability by sending a specially-crafted network packets on the targeted system.
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, gain access to sensitive information or perform Denial of Service (DoS) attack on the targeted system.
Best practices while connecting IoT or embedded devices to a network
- Avoid exposure of IoT and embedded devices directly over the Internet and use a segmented network zone when available.
- Enable security features such as deep-packet inspection and firewall anomaly detection when available to protect embedded and IoT devices.
- Ensure secure defaults are adopted and disable unused features and services on your embedded devices.
- Regularly update firmware to the vendor provided latest stable version to ensure your device is up to date.
Solution
FNET users update to Version 4.7.0 or later
https://github.com/butok/FNET/releases/tag/v4.7.0
uIP-Contiki-NG users update to the latest version available at
https://github.com/contiki-ng/contiki-ng
open-iscsi users update to the latest version available at
https://github.com/open-iscsi/open-iscsi
Maintainers of Nut/Net can update the latest version available at
http://www.ethernut.de/en/download/index.html
Vendor Information
uIP
https://www.contiki-ng.org/
PicoTCP
http://picotcp.altran.be
FNET
http://fnet.sourceforge.net/
Nut/OS
http://www.ethernut.de/en/software/
iscsi
https://github.com/open-iscsi/open-iscsi/security/advisories/GHSA-r278-fm99-8rgp
Microchip
https://www.microchip.com/design-centers/wireless-connectivity/software-vulnerability-response/amnesia-network-stack-vulnerability
References
NJCCIC
https://www.cyber.nj.gov/alerts-advisories/multiple-vulnerabilities-in-various-opensource-tcpip-stacks
US CERT
https://kb.cert.org/vuls/id/815128
https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01
SIEMENS
https://cert-portal.siemens.com/productcert/pdf/ssa-541017.pdf
FEIG
https://www.feig.de/fileadmin/user_upload/Downloads/Cybersecurity/2020-12-08-01_SecurityAdvisory.pdf
forescout
https://www.forescout.com/research-labs/amnesia33/
IoTSecurityFoundation
https://www.iotsecurityfoundation.org/securing-the-embedded-iot-world/
CVE Name
CVE-2020-13984
CVE-2020-13985
CVE-2020-13986
CVE-2020-13987
CVE-2020-13988
CVE-2020-17437
CVE-2020-17438
CVE-2020-17439
CVE-2020-17440
CVE-2020-17441
CVE-2020-17442
CVE-2020-17443
CVE-2020-17444
CVE-2020-17445
CVE-2020-17467
CVE-2020-17468
CVE-2020-17469
CVE-2020-17470
CVE-2020-24334
CVE-2020-24335
CVE-2020-24336
CVE-2020-24337
CVE-2020-24338
CVE-2020-24339
CVE-2020-24340
CVE-2020-24383
CVE-2020-25107
CVE-2020-25108
CVE-2020-25109
CVE-2020-25110
CVE-2020-25111
CVE-2020-25112
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|