The research team of the company Forescout, which in December last year the "Amnesia: 33"-Vulnerabilities introduced, nine further vulnerabilities have discovered in different TCP / IP stack implementations. The new, on the name "Number: Jack" Baptized Vulnerability Collection is consistently based on programming errors and fangles in the code that is state-of-the generation of initial TCP sequence numbers (Initial Sequence Numbers, ISNS).
Except one "medium"-Exception became the weak points each with a CVSS score of 7.5 ("High") rated. In some cases there are updated stack code and updates for SDKS.
Predictable ISNS as an attack vector
Sequence numbers should ensure in the TCP protocol that data packets are complete, in the correct order and without doubling the receiver. The initial and later of the data packet incremented sequence number is exchanged in the course of the connection structure between the communication partners and must be possibly randomly.
Can you be ISNS thanks to vulnerabilities "guess", Open various attacks on existing TCP connections: Attackers were unnoticed in order to commit their own data packages (Session Hijacking) or to finish connections in the course of a denial of service attack simply. In addition, with Number: Jack also the successful construction of new, supposedly confidential connections conceivable (TCP spoofing).
Details of the different vulnerabilities are a blog entry of Forescout to Number: to remove Jack. A detailed number: JACK-REPORT provides further information about the analyzes of the researchers.
Updates and more information
Affected are nine out of 11 studied stacks, this time, in addition to the seven already in the course of Amnesia: 33 open source implementations have been tested four more … Net by Microchip, NDKTCPIP of Texas Instruments, Nanostack by arm as well as Nucleus net of Siemens.
In the following stacks, weaknesses were found, which ensure that ISNS is insufficiently randomly or thanks to the use of certain components comprehensible ("reversible") are:
- CyclonetCP 1.9.6: CVE-2020-27631; Patched in version 2.0.0
- FNET 4.6.3: CVE-2020-27633; So far no patch
- Mplab Net 3.6.1: CVE-2020-27636; Patched in version 3.6.4
- NDKTCPIP 2.25: CVE-2020-27632; Patched from version 7.02 of the Processor SDK
- Nucleus net 4.3: CVE-2020-28388 (single medium classification); Patched in Nucleus Net 5.2 and Nucleus ReadyStart V2012.12
- NUT / NET 5.1: CVE-2020-27213; On the patch is still worked
- Picotcp 1.7.0, picotcp-ng: CVE-2020-27635; Faulty default implementation from version 2.1 removed; Users should use their own PRNG (Pseudorandom Number Generator)
- UC / TCP-IP 3.6.0: CVE-2020-27630; The project was set, the successor project Micrium OS is hedged according to Forescout in the current version
- UIP 1.0, Contiki-OS 3.0, Contiki-NG 4.5: CVE-2020-27634; No patch (and no reaction from the developers)
The version information at the beginning relates to the expenditure analyzed by the researchers; But all ofenses were allowed to be vulnerable, all of the above versions included in the poor ISN generator code.
"Patch When POSSIBLE"
In the course of the investigations around Number: Jack has not taken forescout, according to the blog entry, to identify concrete affected manufacturers and products. At Amnesia: 33, the team had stood in front of the problem that the open source code of the stacks had been thoroughly damaged, changed and implemented in different variants, which made the limitation extremely difficult. In addition, it was made more difficult for some straightening manufacturers been not necessarily aware that third-party components used the vulnerable code.
As with Amnesia (and before Ripple20), however, the GROS of the products affected this time was allowed to act again to internet-of-things devices; There are also some devices from the IT and OT (Operational Technology) area. End users are only laughed when updates in Stacks and SDKs have arrived by updates the product manufacturers. Many cheap No-name products from the IoT division will not receive any updates.
"Patch When POSSIBLE", RUT FORESCOUT DA also logically in the blog entry; "IF" were probably still more suitable. The company also recommends to accommodate IOT devices in a separate network and to allow access to AUBEN approximately via VPN. And it has published an open source tool that should help you get wealthy stack implementations on your own advice.