Search

Multiple TCP/IP stacks vulnerabilities

Canon Medical Systems Security Advisory

Overview:
It was announced that there are multiple security vulnerabilities in multiple TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices. These vulnerabilities are also tracked as the name NAME:WRECK. TCP/IP stacks provide essential network communication capability. The following TCP/IP stacks were discovered to have 9 vulnerabilities related to Domain Name System (DNS) implementations, causing either Denial of Service (DoS) or Remote Code Execution (RCE).

FreeBSD (vulnerable version: 12.1)
IPnet (vulnerable version: VxWorks 6.6)
NetX (vulnerable version: 6.0.1)
Nucleus NET (vulnerable version: 4.3)

Vulnerability Overview:

CVE ID	Stack	Description	Affected Component	Potential Impact	CVSS v3.1
CVE-2020-7461	FreeBSD	The vulnerability exists due to a boundary error when parsing option 119 data in DHCP packets in dhclient(8). A remote attacker on the local network can send specially crafted data to the DHCP client, trigger heap-based buffer overflow and execute arbitrary code on the target system.	Message compression	RCE	7.7
CVE-2016-20009	IPnet	The DNS client has a stack-based overflow on the message decompression function leading to a potential RCE.	Message compression	RCE	9.8
CVE-2020-15795	Nucleus NET	The DNS domain name label parsing functionality does not properly validate the names in DNS responses. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.	Domain name label parsing	RCE	8.1
CVE-2020-27009	Nucleus NET	The DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition.	Message compression	RCE	8.1
CVE-2020-27736	Nucleus NET	The DNS domain name label parsing functionality does not properly validate the name in DNS responses. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition.	Domain name label parsing	DoS	6.5
CVE-2020-27737	Nucleus NET	The DNS response parsing functionality does not properly validate various length and counts of the records. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition.	Domain name label parsing	DoS	6.5
CVE-2020-27738	Nucleus NET	The DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a read access past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability cause a denial-of-service condition.	Message compression	DoS	6.5
CVE-2021-25677	Nucleus NET	The DNS client does not properly randomize DNS transaction ID (TXID) and UDP port numbers, allowing attackers to perform DNS cache poisoning/spoofing attacks.	Transaction ID	DNS cache poisoning /spoofing	5.3
(waiting for a CVE ID to be assigned)	NetX	In the DNS resolver component, functions _nx_dns_name_string_unencode and _nx_dns_resource_name_real_size_calculate do not check that the compression pointer does not equal the same offset currently being parsed, which could lead to an infinite loop. In the function _nx_dns_resource_name_real_size_calculate the pointer can also point forward and there is no out-ofbounds check on the packet buffer.	Message compression	DoS	6.5

Possible Affected Canon Medical Systems Products:
Canon Medical Systems Corporation is not using these four TCP/IP stacks versions in its products. Canon Medical Systems Corporation is currently investigating whether there is any impact to third party components used in the products. If any impact is found, it will be informed to customer immediately.

FreeBSD (vulnerable version: 12.1)
IPnet (vulnerable version: VxWorks 6.6)
NetX (vulnerable version: 6.0.1)
Nucleus NET (vulnerable version: 4.3)

Affected Canon Medical Systems Products
・ None

Canon Medical Products under investigation
・ None

Resolution:
・ None

Due to medical device regulatory reasons, not all products/service displayed on this webpage are available in all countries, regions or markets. Future availability of the products/service cannot also be guaranteed. Please contact your local Canon Medical Group representative for further details.

Development and manufacturing functions of Canon Medical Systems Corporation have been transferred to CANON INC. In this website, any reference to “Canon Medical Systems Corporation” refers to “CANON INC.”