2020: Security Advisory: Amnesia 33 uIP Stack Vulnerability

Summary

It has been brought to our attention by the 'Federal Office for Information Security' (BSI) that the network implementation within the microMIND is vulnerable to a number of exploits. These vulnerabilities were discovered by 'Forescout Technologies', researchers Jos Wetzels, Stanislav Dashevskyi, Amine Amri, and Daniel dos Santos and named: AMNESIA:33,  AMNESIA:33 - Forescout

Advisory release date

8th December 2020

Product Affected

uniFLOW MicroMIND

Products Reviewed

NT-ware hardware where uIP open-source network stack was implemented.

CVE

CVE's addressed in this firmware are: CVE-2020-13988, CVE-2020-13987, CVE-2020-17438, CVE-2020-17437
CVE's not related to the MicroMIND implementation of the uIP Stack: CVE-2020-17440, CVE-2020-17439, CVE-2020-24334, CVE-2020-24335

Severity

There are multiple severity ratings across the different CVE’s. The overall exploitability is low as an adversary needs to be in the network already. If all factors are met the risk is high and should be addressed.

 

Summary of Vulnerability

The microMIND utilises the uIP open-source network stack, https://en.wikipedia.org/wiki/UIP_(micro_IP) used by thousands of companies to network enable their software/hardware. The researchers found that if exploited these vulnerabilities could result in a DoS attack taking the device offline or performing Remote Code Execution (RCE) on the microMIND itself. To address these vulnerabilities NT-ware has released a new firmware that addresses all reported issues. At the time of writing this security bulletin there are no known exploits targeting the microMIND.

Exploit name/link: AMNESIA:33,  AMNESIA:33 - Forescout
CVE's addressed in this firmware are: CVE-2020-13988, CVE-2020-13987, CVE-2020-17438, CVE-2020-17437
CVE's not related to the MicroMIND implementation of the uIP Stack: CVE-2020-17440, CVE-2020-17439, CVE-2020-24334, CVE-2020-24335

Affected Versions

Product

Affected versions

uniFLOW microMIND

uniFLOW microMIND Firmware: version 2.0.9  and earlier or delivered prior to October 2020

  

Fixed Versions

Product

Fix versions

NT-ware microMIND

Firmware versions 2.0.10 and higher.

 

What You Need to Do

Please review the advisory and table appropriate action to upgrade your microMIND devices.

Mitigation

If you have an affected microMIND please contact your Canon representative to arrange upgrading the firmware.

Support

If you have further questions, please contact your Canon / Canon Business Partner representative.