==================================================================== CERT-Renater Note d'Information No. 2020/VULN672 _____________________________________________________________________ DATE : 09/12/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running open-source embedded TCP/IP stacks. ===================================================================== https://www.kb.cert.org/vuls/id/815128 _____________________________________________________________________ Embedded TCP/IP stacks have memory corruption vulnerabilities Vulnerability Note VU#815128 Original Release Date: 2020-12-08 | Last Revised: 2020-12-08 Overview Multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices, have several vulnerabilities stemming from improper memory management. These vulnerabilities are also tracked as ICS-VU-633937 and JVNVU#96491057 as well as the name AMNESIA:33. Description Embedded TCP/IP stacks provide essential network communication capability using TCP/IP networking to many lightweight operating systems adopted by IoT and other embedded devices. These software stacks can also be seen in the latest technologies such as Edge Computing. The following embedded TCP/IP stacks were discovered to have 33 memory related vulnerabilities included in this advisory: uIP: https://github.com/adamdunkels/uip Contiki-OS and Contiki-NG: https://www.contiki-ng.org/ PicoTCP and PicoTCP-NG: http://picotcp.altran.be FNET: http://fnet.sourceforge.net/ Nut/OS: http://www.ethernut.de/en/software/ These software stacks can be integrated in various ways, including compiled from source, modified and integrated, and linked as a dynamic or static libraries, allowing for a wide variety of implementations. As an example, projects such as Apache Nuttx and open-iscsi have adopted common libraries and software modules, thus inheriting some of the vulnerabilities with varying levels of impact. The diversity of implementations and the lack of supply chain visibility has made it difficult to accurately assess the impact, usage as well as the potential exploitability of these vulnerabilities. In general, most of these vulnerabilities are caused by memory management bugs, commonly seen in lightweight software implementations in Real Time Operating Systems (RTOS) and IoT devices. For specific details on the vulnerabilities introduced by these vulnerabilities, see the Forescout advisory that provides technical details. Impact The impact of these vulnerabilities vary widely due to the combination of build and runtime options customized while including these in embedded devices. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause the vulnerable device to behave in unexpected ways such as a failure (denial of service), disclosure of private information, or execution of arbitrary code. Solution Apply updates Update to the latest stable version of the affected embedded TCP/IP software that address these recently disclosed vulnerabilities. If you have adopted this software from an upstream provider, contact the provider to get appropriate updates that need to be integrated into your software. Concerned end-users of IoT and embedded devices that implement of these vulnerable TCP/IP software stacks should contact their vendor or the closest reseller to obtain appropriate updates. Follow best-practices We recommend that you follow best practices when connecting IoT or embedded devices to a network: Avoid exposure of IoT and embedded devices directly over the Internet and use a segmented network zone when available. Enable security features such as deep-packet inspection and firewall anomaly detection when available to protect embedded and IoT devices. Ensure secure defaults are adopted and disable unused features and services on your embedded devices. Regularly update firmware to the vendor provided latest stable version to ensure your device is up to date. Acknowledgements Jos Wetzels, Stanislav Dashevskyi, Amine Amri and Daniel dos Santos of Forescout Technologies researched and reported these vulnerabilities. This document was written by Vijay Sarvepalli. Vendor Information Microchip Technology Affected Siemens Affected Abbott Labs Not Affected Afero Not Affected Arista Networks Inc. Not Affected ARM mbed TLS Not Affected Barracuda Networks Not Affected Belden Not Affected Blackberry QNX Not Affected Brocade Communication Systems Not Affected Ceragon Networks Inc Not Affected dd-wrt Not Affected Digi International Not Affected F5 Networks Inc. Not Affected Fastly Not Affected Fitbit Not Affected Google Not Affected HCC Not Affected Infoblox Not Affected Intel Not Affected Juniper Networks Not Affected Nokia Not Affected Rockwell Automation Not Affected SUSE Linux Not Affected VMware Not Affected VMware Carbon Black Not Affected Wind River Not Affected Xilinx Not Affected Zephyr Project Not Affected Zyxel Not Affected Actelis Networks Unknown ADATA Unknown Aerohive Unknown AhnLab Inc Unknown Akamai Technologies Inc. Unknown Alcatel-Lucent Enterprise Unknown Allied Telesis Unknown Altran Intelligent Systems Unknown ANTlabs Unknown Apache Software Foundation Unknown Aruba Networks Unknown Atheros Communications Inc Unknown Avaya Inc. Unknown Belkin Inc. Unknown Bell Canada Enterprises Unknown Blunk Microsystems Unknown BoringSSL Unknown Broadcom Unknown Cambium Networks Unknown Canon Unknown CareStream Unknown CERT-UBIK Unknown Cesanta Unknown Cirpack Unknown Cisco Unknown CMX Systems Unknown Commscope Unknown Contiki OS Unknown Cricket Wireless Unknown Cypress Semiconductor Unknown Dell Unknown Dell EMC Unknown Dell SecureWorks Unknown Deutsche Telekom Unknown Devicescape Unknown Diebold Election Systems Unknown D-Link Systems Inc. Unknown EfficientIP Unknown Egnite Unknown ENEA Unknown Ericsson Unknown Espressif Systems Unknown Extreme Networks Unknown FNet Unknown Force10 Networks Unknown Foundry Brocade Unknown FreeBSD Project Unknown FreeRTOS Unknown Fujitsu Unknown GFI Software Unknown Grandstream Unknown Green Hills Software Unknown Hewlett Packard Enterprise Unknown Hitachi Unknown Honeywell Unknown HP Inc. Unknown Huawei Unknown IBM Unknown IBM Corporation (zseries) Unknown IBM Numa-Q Division (Formerly Sequent) Unknown ICASI Unknown InfoExpress Inc. Unknown Inmarsat Unknown INTEROP Unknown IP Infusion Inc. Unknown iscsi Unknown Kwikset Unknown Lantronix Unknown Lenovo Unknown LG Electronics Unknown LibreSSL Unknown LITE-ON Technology Corporation Unknown LiteSpeed Technologies Unknown Lynx Software Technologies Unknown m0n0wall Unknown Marvell Semiconductor Unknown MediaTek Unknown Medtronic Unknown Metaswitch Networks Unknown Micrium Unknown Microsoft Unknown Miredo Unknown Monroe Electronics Unknown Motorola Inc. Unknown Muonics Inc. Unknown NEC Corporation Unknown NetBSD Unknown NetBurner Unknown Netgear Inc. Unknown NETSCOUT Unknown netsnmp Unknown netsnmpj Unknown OleumTech Unknown OpenConnect Ltd Unknown OpenSSL Unknown Oracle Corporation Unknown Oryx Embedded Unknown Paessler Unknown Palo Alto Networks Unknown Panasonic Unknown Philips Electronics Unknown Proxim Inc. Unknown Pulse Secure Unknown QLogic Unknown QNAP Unknown Quadros Systems Unknown Qualcomm Unknown Riverbed Technologies Unknown Roku Unknown Ruijie Networks Unknown SafeNet Unknown Samsung Unknown Samsung Semiconductor Unknown SEIKO EPSON Corp. / Epson America Inc. Unknown Siemens Nixdorf AG Unknown SmoothWall Unknown SonicWall Unknown Sonos Unknown Sophos Unknown Systech Unknown TCPWave Unknown Tenable Network Security Unknown Texas Instruments Unknown TippingPoint Technologies Inc. Unknown Tizen Unknown Toshiba Commerce Solutions Unknown Ubuntu Unknown Untangle Unknown Vertical Networks Inc. Unknown WizNET Technology Unknown wolfSSL Unknown Xerox Unknown Yamaha Corporation Unknown Zebra Technologies Unknown ZTE Corporation Unknown References https://www.forescout.com/amnesia33 https://us-cert.cisa.gov/ics/advisories/ICSA-20-343-01 https://www.iotsecurityfoundation.org/securing-the-embedded-iot-world/ https://krebsonsecurity.com/2018/01/some-basic-rules-for-securing-your-iot-stuff/ https://skelia.com/articles/iot-security-why-your-toaster-needs-a-firewall/ Other Information CVE IDs: CVE-2020-13984 CVE-2020-13985 CVE-2020-13986 CVE-2020-13987 CVE-2020-13988 CVE-2020-17437 CVE-2020-17438 CVE-2020-17439 CVE-2020-17440 CVE-2020-17441 CVE-2020-17442 CVE-2020-17443 CVE-2020-17444 CVE-2020-17445 CVE-2020-17467 CVE-2020-17468 CVE-2020-17469 CVE-2020-17470 CVE-2020-24334 CVE-2020-24336 CVE-2020-24337 CVE-2020-24338 CVE-2020-24339 CVE-2020-24340 CVE-2020-24340 CVE-2020-24341 CVE-2020-24383 CVE-2020-25107 CVE-2020-25108 CVE-2020-25109 CVE-2020-25110 CVE-2020-25111 CVE-2020-25112 Date Public: 2020-12-08 Date First Published: 2020-12-08 Date Last Updated: 2020-12-08 15:19 UTC Document Revision: 1 ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================