Severity Rating: High
Systems Affected
uIP-Contiki-OS (end-of-life [EOL]), Version 3.0 and prior
uIP-Contiki-NG, Version 4.5 and prior
uIP (EOL), Version 1.0 and prior
open-iscsi, Version 2.1.12 and prior
picoTCP-NG, Version 1.7.0 and prior
picoTCP (EOL), Version 1.7.0 and prior
FNET, Version 4.6.3
Nut/Net, Version 5.1 and prior
Overview
Multiple Vulnerabilities have been reported in open source TCP/IP stacks
that could be exploited by a remote attacker to perform denial of service
(DoS) attack, execute arbitrary code or obtain sensitive information on the
targeted system.
Description
These vulnerabilities exist in four open source TCP/IP stacks (uIP, FNET,
picoTCP and Nut/Net) due to memory corruption in lightweight software
implementations in Real Time Operating Systems (RTOS) and IoT devices. A
remote unauthenticated attacker could exploit this vulnerability by sending
a specially-crafted network packets on the targeted system.
Successful exploitation of these vulnerabilities could allow an attacker to
execute arbitrary code, gain access to sensitive information or perform
Denial of Service (DoS) attack on the targeted system.
Best practices while connecting IoT or embedded devices to a network
Avoid exposure of IoT and embedded devices directly over the Internet and
use a segmented network zone when available.
Enable security features such as deep-packet inspection and firewall
anomaly detection when available to protect embedded and IoT devices.
Ensure secure defaults are adopted and disable unused features and services
on your embedded devices.
Regularly update firmware to the vendor provided latest stable version to
ensure your device is up to date.
Solution
FNET users update to Version 4.7.0 or later
uIP-Contiki-NG users update to the latest version available at
open-iscsi users update to the latest version available at
Maintainers of Nut/Net can update the latest version available at
Vendor Information
uIP
PicoTCP
FNET
Nut/OS
iscsi
- -8rgp
Microchip
nerability-response/amnesia-network-stack-vulnerability
References
NJCCIC
ous-opensource-tcpip-stacks
US CERT
SIEMENS
FEIG
8-01_SecurityAdvisory.pdf
forescout
IoTSecurityFoundation
CVE Name
CVE-2020-13984
CVE-2020-13985
CVE-2020-13986
CVE-2020-13987
CVE-2020-13988
CVE-2020-17437
CVE-2020-17438
CVE-2020-17439
CVE-2020-17440
CVE-2020-17441
CVE-2020-17442
CVE-2020-17443
CVE-2020-17444
CVE-2020-17445
CVE-2020-17467
CVE-2020-17468
CVE-2020-17469
CVE-2020-17470
CVE-2020-24334
CVE-2020-24335
CVE-2020-24336
CVE-2020-24337
CVE-2020-24338
CVE-2020-24339
CVE-2020-24340
CVE-2020-24383
CVE-2020-25107
CVE-2020-25108
CVE-2020-25109
CVE-2020-25110
CVE-2020-25111
CVE-2020-25112
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.