(I)IoT Security News
ICS, News, Vulnerabilities

Multiple Embedded TCP/IP Stacks (Update A)

Multiple Embedded TCP/IP Stacks

1. EXECUTIVE SUMMARY

CISA is aware of a public report, known as “NUMBER:JACK” that details vulnerabilities found in multiple open-source and proprietary TCP/IP stacks. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
The various open-source stacks may be implemented in forked repositories.

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-21-042-01 Multiple Embedded TCP/IP stacks that was published February 11, 2021, to the ICS webpage on us-cert.cisa.gov.

3. RISK EVALUATION

Successful exploitation of weak initial sequence numbers (ISN) can be used to hijack or spoof TCP connections, cause denial-of-service conditions, inject malicious data, or bypass authentication.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

The following have been reported to be affected:
•    Nut/Net, Version 5.1 and prior
•    CycloneTCP, Version 1.9.6 and prior
•    NDKTCPIP, Version 2.25 and prior
•    FNET, Version 4.6.3
•    uIP-Contiki-OS (end-of-life [EOL]), Version 3.0 and prior
•    uC/TCP-IP (EOL), Version 3.6.0 and prior
•    uIP-Contiki-NG, Version 4.5 and prior
•    uIP (EOL), Version 1.0 and prior
•    picoTCP-NG, Version 1.7.0 and prior
•    picoTCP (EOL), Version 1.7.0 and prior
•    MPLAB Net, Version 3.6.1 and prior
•    Nucleus NET, All versions prior to Version 5.2
•    Nucleus ReadyStart for ARM, MIPS, and PPC, All versions prior to Version 2012.12

4.2 VULNERABILITY OVERVIEW

4.2.1    USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

Nut/Net software relies on highly predictable source values and has consistent increments when generating initial sequence numbers (ISN), which may allow an attacker to spoof or disrupt TCP connections. 

CVE-2020-27213 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.2.2    USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

uC/TCP-IP ISN generation relies on a linear congruential generator (LCG), which is reversable from observed output streams as the algorithm is seeded with publicly recoverable information. This defect may allow an attacker to spoof or disrupt TCP connections. 

CVE-2020-27630 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.2.3    USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

CycloneTCP ISN generation relies on a linear congruential generator (LCG), which is reversable from observed output streams as the algorithm is seeded with publicly recoverable information. This defect may allow an attacker to spoof or disrupt TCP connections.

CVE-2020-27631 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.2.4    USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

NDKTCPIP software is initialized with a consistent value and has consistent increments when generating initial sequence numbers (ISN), which may allow an attacker to spoof or disrupt TCP connections. 

CVE-2020-27632 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.2.5    USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

FNET software is initialized with a consistent value and has consistent increments when generating initial sequence numbers (ISN), which may allow an attacker to spoof or disrupt TCP connections. 

CVE-2020-27633 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.2.6    USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

uIP, Contiki-OS, and Contiki-NG software is initialized with a consistent value and has consistent increments when generating initial sequence numbers (ISN), which may allow an attacker to spoof or disrupt TCP connections. 

CVE-2020-27634 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.2.7    USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

PicoTCP PicoTCP-NG software ISN generation relies on a linear congruential generator (LCG), which is reversable from observed output streams as the algorithm is seeded with publicly recoverable information. This defect may allow an attacker to spoof or disrupt TCP connections.

CVE-2020-27635 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.2.8    USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

MPLAB software ISN generation relies on a linear congruential generator (LCG), which is reversable from observed output streams as the algorithm is seeded with publicly recoverable information. This defect may allow an attacker to spoof or disrupt TCP connections.

CVE-2020-27636 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.2.9    USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

Nucleus NET and Nucleus ReadyStart software ISN generation relies on a combination of values that can be acquired from capturing network traffic, which may allow an attacker to spoof or disrupt TCP connections. 

CVE-2020-28388 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

4.3 BACKGROUND

4.4 RESEARCHER

Daniel dos Santos, Stanislav Dashevskyi, Jos Wetzels, and Amine Amri of Forescout Research Labs reported these vulnerabilities to CISA.

5. MITIGATIONS

——— Begin Update A Part 1 of 1 ———

——— End Update A Part 1 of 1 ———

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. 

Source:

https://us-cert.cisa.gov/ics/advisories/icsa-21-042-01

Related posts

Mitsubishi Electric Factory Automation Engineering Software Products

(I) IoT
4 years ago

Johnson Controls exacqVision Enterprise System Manager

(I) IoT
5 years ago

Meltdown and Spectre Vulnerabilities (Update J)

(I) IoT
6 years ago
Exit mobile version