Embedded TCP/IP stacks vulnerabilities
Canon Medical Systems Security Advisory
Overview:
It was announced that there are multiple security vulnerabilities in multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices. These vulnerabilities are also tracked as the name AMNESIA:33. Embedded TCP/IP stacks provide essential network communication capability. The following embedded TCP/IP stacks were discovered to have 33 memory related vulnerabilities.
- uIP, Version 1.0 and prior
- uIP-Contiki-OS, Version 3.0 and prior
- uIP-Contiki-NG, Version 4.5 and prior
- picoTCP, Version 1.7.0 and prior
- picoTCP-NG, Version 2.0.0 and prior
- FNET, Version 4.6.3
- Nut/Net, Version 5.1 and prior
| CVE ID | CVSS v3.1 | Description | Affected Component | Potential Impact |
| CVE-2020- 13984 | 7.5 | The function used to process IPv6 extension headers and extension header options can be put into an infinite loop state due to unchecked header/option lengths. | Ext. header parsing in IPv6 (6LoWPAN) | DoS |
| CVE-2020-13985 | 7.5 | The function used to decapsulate RPL extension headers does not check for unsafe integer conversion when parsing the values provided in a header, allowing attackers to corrupt memory. | Ext. header parsing in IPv6 | DoS |
| CVE-2020-13986 | 7.5 | The function used to decapsulate RPL extension headers does not check the length value of an RPL extension header received, allowing attackers to put it into an infinite loop. | Ext. header parsing in IPv6 (6LoWPAN) | DoS |
| CVE-2020-13987 | 8.2 | The function that parses incoming transport layer packets (TCP/UDP) does not check the length fields of packet headers against the data available in the packets. Given arbitrary lengths, an out-of-bounds memory read may be performed during the checksum computation. | TCP/UDP checksum calculation in IPv4 | DoS Infoleak |
| CVE-2020-13988 | 7.5 | The function that parses the TCP MSS option does not check the validity of the length field of this option, allowing attackers to put it into an infinite loop, when arbitrary TCP MSS values are supplied. | TCP options parsing in IPv4 | DoS |
| CVE-2020-17437 | 8.2 | When handling TCP Urgent data, there are no sanity checks for the value of the Urgent data pointer, allowing attackers to corrupt memory by supplying arbitrary Urgent data pointer offsets within TCP packets. | TCP packet processing | DoS |
| CVE-2020-17438 | 7.0 | The code that reassembles fragmented packets does not validate the total length of an incoming packet specified in its IP header, as well as the fragmentation offset value specified in the IP header. This may lead to memory corruption. | Fragmented packet reassembly in IPv4 | DoS |
| CVE-2020-17439 | 8.1 | Incoming DNS replies are parsed by the DNS client even if there were no outgoing queries. The DNS transaction ID is not sufficiently random. Provided that the DNS cache is quite small (4 entries), this facilitates DNS cache poisoning attacks. | DNS response processing | DNS cache poisoning |
| CVE-2020-17440 | 7.5 | When parsing incoming DNS packets, there are no checks whether domain names are null-terminated. This allows attackers to achieve memory corruption with crafted DNS responses. | DNS domain name decoding | DoS |
| CVE-2020-24334 | 8.2 | The code that processes DNS responses does not check whether the number of responses specified in the DNS packet header correspond to the response data available in the DNS packet, allowing attackers to corrupt memory. | DNS response processing | DoS |
| CVE-2020-24335 | 7.5 | The function that parses domain names lacks bounds checks, allowing attackers to corrupt memory with crafted DNS packets. | DNS domain name decoding | DoS |
| CVE-2020-24336 | 9.8 | The code for parsing DNS records in DNS response packets sent over NAT64 does not validate the length field of the response records, allowing attackers to corrupt memory. | DNS response parsing in NAT64 | RCE |
| CVE-2020-25112 | 8.1 | Several issues, such as insufficient checks for the IPv4/ IPv6 header length and inconsistent checks for the IPv6 header extension lengths, allow attackers to corrupt memory. | ICMPv6 echo/reply processing | RCE |
| CVE-2020-17441 | 7.5 | The payload length field of IPv6 extension headers is not checked against the data available in incoming packets, allowing attackers to corrupt memory. | Ext. header parsing in IPv6, ICMPv6 checksum | DoS Infoleak |
| CVE-2020-17442 | 7.5 | The function that processes the Hop-by-Hop extension header in IPv6 packets and its options lacks any checks against the length field of the header, allowing attackers to put the function into an infinite loop by supplying arbitrary length values. | Ext. header parsing in IPv6 | DoS |
| CVE-2020-17443 | 8.2 | When processing ICMPv6 echo requests, there are no checks for whether the ICMPv6 header consists of at least 8 bytes (set by RFC443). This leads to the function that creates ICMPv6 echo replies based on a received request with a smaller header to corrupt memory. | ICMPv6 echo request processing | DoS |
| CVE-2020-17444 | 7.5 | The function that processes IPv6 headers does not check the lengths of extension header options, allowing attackers to put this function into an infinite loop with crafted length values. | Ext. header parsing in IPv6 | DoS |
| CVE-2020-17445 | 7.5 | The function that processes the IPv6 Destination Options extension header does not check the validity of its options lengths, allowing attackers to corrupt memory and/or put the function into an infinite loop withcrafted length values. | Ext. header parsing in IPv6 | DoS |
| CVE-2020-24337 | 7.5 | The function that processes TCP options does not validate their lengths, allowing attackers to put the function into an infinite loop with uncommon/unsupported TCP options that have crafted length values. | TCP options parsing in IPv4 | DoS |
| CVE-2020-24338 | 9.8 | The function that parses domain names lacks bounds checks, allowing attackers to corrupt memory with crafted DNS packets. | DNS domain name decoding | RCE |
| CVE-2020-24339 | 7.5 | The function that parses domain names lacks bounds checks, allowing attackers to corrupt memory with crafted DNS packets. | DNS domain name decoding | DoS |
| CVE-2020-24340 | 8.2 | The code that processes DNS responses does not check whether the number of responses specified in the DNS packet header correspond to the response data available in the DNS packet, allowing attackers to perform memory corruption. | DNS response processing | DoS Infoleak |
| CVE-2020-24341 | 8.2 | The TCP input data processing function does not validate the length of incoming TCP packets, allowing attackers to read out of bounds and perform memory corruption. | TCP packet processing | DoS Infoleak |
| CVE-2020-17467 | 8.2 | When parsing LLMNR requests, there are no checks whether domain names are null-terminated. This may allow attackers to read out of bounds. | LLMNR state machine | Infoleak |
| CVE-2020-17468 | 7.5 | The function that processes the IPv6 Hop-by-Hop extension header does not check the validity of its options lengths, allowing attackers to corrupt memory. | Ext. header parsing in IPv6 | DoS |
| CVE-2020-17469 | 5.9 | The IPv6 packet reassembly function does not check whether the received fragments are properly aligned in memory, allowing attackers to perform memory corruption with crafted IPv6 fragmented packets. | Fragmented packet reassembly in IPv6 | DoS |
| CVE-2020-17470 | 4 | The code that initializes the DNS client interface structure does not set sufficiently random transaction IDs (they will be always set to 1), facilitating DNS cache poisoning attacks. | DNS response processing | DNS cache poisoning |
| CVE-2020-24383 | 6.5 | When parsing incoming mDNS packets, there are no checks whether domain names are null-terminated. This allows attackers to achieve memory corruption and/or memory leak. | DNS domain name decoding | DoS Infoleak |
| CVE-2020-25107 | 7.5 | The code that processes DNS questions/responses has several issues: (1) there is no check on whether a domain name is NULL-terminated; (2) the DNS response data length is not checked (can be set to arbitrary value from a packet); (3) the number of DNS queries/responses (set in DNS header) is not checked against the data present; (4) the length byte of a domain name in a DNS query/response is not checked and is used for internal memory operations. | DNS domain name decoding/ DNS response processing | DoS |
| CVE-2020-25108 | 7.5 | DoS | ||
| CVE-2020-25109 | 8.2 | DoS | ||
| CVE-2020-25110 | 8.2 | DoS | ||
| CVE-2020-25111 | 9.8 | RCE |
Possible Affected Canon Medical Systems Products:
Canon Medical Systems Corporation is not using these embedded TCP/IP stacks directly in its products. Canon Medical Systems Corporation is currently investigating whether there is any impact to third party components used in the products. If any impact is found, it will be informed to customer immediately.
Affected Canon Medical Systems Products
・ None
Canon Medical Products under investigation
・ None
Resolution:
・ None
Due to medical device regulatory reasons, not all products/service displayed on this Canon Medical Systems global webpage are available in all countries, regions or markets. Future availability of the products/service cannot also be guaranteed. Please contact your local Canon Medical Systems representative for further details.
