SWRA697A December 2020 – January 2021
Publication date: December 21, 2020
Summary
Forescout Research Labs has identified potential vulnerabilities in multiple open-source TCP/IP stacks. The following potential vulnerabilities have been identified as impacting the uIP and Contiki-OS software:
| CVEID | CVSS Score | CVSS Vector | Description |
|---|---|---|---|
| CVE-2020-13985 | 7.5 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | The function used to decapsulate RPL extension headers does not check for unsafe integer conversion when parsing the values provided in a header, allowing attackers to corrupt memory. |
| CVE-2020-13984 | 7.5 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | The function used to process IPv6 extension headers and extension header options can be put into an infinite loop state due to unchecked header/option lengths. |
| CVE-2020-13986 | 7.5 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | The function used to decapsulate RPL extension headers does not check the length value of an RPL extension header received, allowing attackers to put it into an infinite loop. |
| CVE-2020-13988 | 7.5 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | The function that parses the TCP MSS option does not check the validity of the length field of this option, allowing attackers to put it into an infinite loop, when arbitrary TCP MSS values are supplied. |
| CVE-2020-17440 | 7.5 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | When parsing incoming DNS packets, there are no checks whether domain names are null-terminated. This allows attackers to achieve memory corruption with crafted DNS responses. |
| CVE-2020-24335 | 7.5 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | The function that parses domain names lacks bounds checks, allowing attackers to corrupt memory with crafted DNS packets. |
| CVE-2020-13987 | 8.2 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H | The function that parses incoming transport layer packets (TCP/UDP) does not check the length fields of packet headers against the data available in the packets. Given arbitrary lengths, an out-of-bounds memory read may be performed during the checksum computation. |
| CVE-2020-24334 | 8.2 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H | The code that processes DNS responses does not check whether the number of responses specified in the DNS packet header correspond to the response data available in the DNS packet, allowing attackers to corrupt memory. |
| CVE-2020-17437 | 8.2 | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H | When handling TCP Urgent data, there are no sanity checks for the value of the Urgent data pointer, allowing attackers to corrupt memory by supplying arbitrary Urgent data pointer offsets within TCP packets. |
| CVE-2020-24336 | 9.8 | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | The code for parsing DNS records in DNS response packets sent over NAT64 does not validate the length field of the response records, allowing attackers to corrupt memory. |
| CVE-2020-25112 | 8.1 | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Several issues, such as insufficient checks for the IPv4/IPv6 header length and inconsistent checks for the IPv6 header extension lengths, allow attackers to corrupt memory. |
Affected products and versions
Legacy Texas Instruments example software for 6LoWPAN solutions is likely impacted.
It is also possible that the CVE-2020-13986 potential vulnerability affects the uIP version shipped in the MSP432E4 SDK example project boot_serial_emac_flash_MSP_EXP432E401Y_nortos. As shipped, the example code in the project is not directly vulnerable because UDP checksums are not enabled (UIP_CONF_UDP_CHECKSUMS is not defined in uip-conf.h). However, it is a best practice to enable UDP checksums during deployment.
Potentially impacted features
The example TI reference designs for 6LoWPAN networks listed below were provided on TI.com and contained example software for implementing 6LoWPAN networks based on the Contiki-OS RTOS. This example implementation included the uIP TCP/IP stack, identified to be potentially vulnerable.
Suggested mitigations
Due to the legacy nature of the example software, the above TI reference designs for 6LoWPAN networks are considered obsolete, and as such there is no plan to update them at this time. It is recommended that TI customers who referenced example software that included Contiki-OS evaluate the recommendations provided by the ICS Advisory and either:
It is recommended that customers who have used MSP432E4 SDK example project boot_serial_emac_flash_MSP_EXP432E401Y_nortos and enabled UDP checksums upgrade their uIP handling to a version of Contiki's uIP software stack above version 3.0.
External references