Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Embedded TCP/IP stacks have memory corruption vulnerabilities
Informations
Name VU#815128 First vendor Publication 2020-12-08
Vendor VU-CERT Last vendor Modification 2021-03-23
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 9.8
Base Score 9.8 Environmental Score 9.8
impact SubScore 5.9 Temporal Score 9.8
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

Multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices, have several vulnerabilities stemming from improper memory management. These vulnerabilities are also tracked as ICS-VU-633937 and JVNVU#96491057 as well as the name AMNESIA:33.

Description

Embedded TCP/IP stacks provide essential network communication capability using TCP/IP networking to many lightweight operating systems adopted by IoT and other embedded devices. These software stacks can also be used in the latest technologies such as Edge Computing. The following embedded TCP/IP stacks were discovered to have 33 memory related vulnerabilities included in this advisory:

  • uIP: https://github.com/adamdunkels/uip
  • Contiki-OS and Contiki-NG: https://www.contiki-ng.org/
  • PicoTCP and PicoTCP-NG: http://picotcp.altran.be
  • FNET: http://fnet.sourceforge.net/
  • Nut/OS: http://www.ethernut.de/en/software/

These networking software stacks can be integrated in various ways, including compiled from source, modified and integrated, and linked as a dynamic or static libraries, allowing for a wide variety of implementations. As an example, projects such as Apache Nuttx and open-iscsi have adopted common libraries and software modules, thus inheriting some of these vulnerabilities with varying levels of impact. The diversity of implementations and the lack of supply chain visibility has made it difficult to accurately assess the impact, usage as well as the potential exploitability of these vulnerabilities.

In general, most of these vulnerabilities are caused by memory management bugs, commonly seen in lightweight software implementations in Real Time Operating Systems (RTOS) and IoT devices. For specific details on these vulnerabilities, see the Forescout advisory that provides technical details. Due to the lack of visibility of these software usage, Forescout has released an open source version of Detector that can be used to identify potentially vulnerable software.

Impact

The impact of these vulnerabilities vary widely due to the combination of build and runtime options customized while including these in embedded devices. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause the vulnerable device to behave in unexpected ways such as a failure (denial of service), disclosure of private information, or execution of arbitrary code.

Solution

Apply updates

Update to the latest stable version of the affected embedded TCP/IP software that address these recently disclosed vulnerabilities. If you have adopted this software from an upstream provider, contact the provider to get appropriate updates that need to be integrated into your software. Concerned end-users of IoT and embedded devices that implement these vulnerable TCP/IP software stacks should contact their vendor or the closest reseller to obtain appropriate updates.

Follow best-practices

We recommend that you follow best practices when connecting IoT or embedded devices to a network:

  • Avoid exposure of IoT and embedded devices directly over the Internet and use a segmented network zone when available.
  • Enable security features such as deep-packet inspection and firewall anomaly detection when available to protect embedded and IoT devices.
  • Ensure secure defaults are adopted and disable unused features and services on your embedded devices.
  • Regularly update firmware to the vendor provided latest stable version to ensure your device is up to date.

Acknowledgements

Jos Wetzels, Stanislav Dashevskyi, Amine Amri and Daniel dos Santos of Forescout Technologies researched and reported these vulnerabilities.

This document was written by Vijay Sarvepalli.

Original Source

Url : https://kb.cert.org/vuls/id/815128

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-125 Out-of-bounds Read
20 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
17 % CWE-190 Integer Overflow or Wraparound (CWE/SANS Top 25)
7 % CWE-20 Improper Input Validation
3 % CWE-191 Integer Underflow (Wrap or Wraparound)
3 % CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Date Informations
2021-04-10 00:29:23
  • Multiple Updates
2021-04-09 21:29:51
  • Multiple Updates
2021-04-09 21:18:04
  • Multiple Updates
2021-03-26 17:29:10
  • Multiple Updates
2021-03-26 13:29:31
  • Multiple Updates
2021-03-26 13:17:54
  • Multiple Updates
2021-02-16 21:29:55
  • Multiple Updates
2021-02-16 17:29:07
  • Multiple Updates
2021-02-16 17:17:35
  • Multiple Updates
2021-02-02 00:28:59
  • Multiple Updates
2021-02-01 21:29:40
  • Multiple Updates
2021-02-01 21:17:59
  • Multiple Updates
2021-01-29 00:29:04
  • Multiple Updates
2021-01-28 21:30:02
  • Multiple Updates
2021-01-28 21:18:00
  • Multiple Updates
2021-01-13 09:29:20
  • Multiple Updates
2021-01-13 05:28:47
  • Multiple Updates
2021-01-13 05:17:34
  • Multiple Updates
2021-01-12 00:29:11
  • Multiple Updates
2021-01-11 21:29:52
  • Multiple Updates
2021-01-11 21:18:04
  • Multiple Updates
2021-01-07 00:28:49
  • Multiple Updates
2021-01-06 21:29:06
  • Multiple Updates
2021-01-06 21:17:57
  • Multiple Updates
2020-12-24 00:28:44
  • Multiple Updates
2020-12-23 21:29:39
  • Multiple Updates
2020-12-23 21:18:00
  • Multiple Updates
2020-12-22 00:28:54
  • Multiple Updates
2020-12-21 21:29:22
  • Multiple Updates
2020-12-21 21:18:05
  • Multiple Updates
2020-12-18 00:28:51
  • Multiple Updates
2020-12-17 21:29:52
  • Multiple Updates
2020-12-17 21:17:57
  • Multiple Updates
2020-12-17 00:29:10
  • Multiple Updates
2020-12-16 21:29:30
  • Multiple Updates
2020-12-16 21:17:59
  • Multiple Updates
2020-12-15 00:28:50
  • Multiple Updates
2020-12-14 17:28:45
  • Multiple Updates
2020-12-14 17:17:35
  • Multiple Updates
2020-12-09 17:17:33
  • Multiple Updates
2020-12-08 17:17:32
  • First insertion