2020: Security Advisory: Amnesia 33 uIP Stack Vulnerability
Summary | It has been brought to our attention by the 'Federal Office for Information Security' (BSI) that the network implementation within the microMIND is vulnerable to a number of exploits. These vulnerabilities were discovered by 'Forescout Technologies', researchers Jos Wetzels, Stanislav Dashevskyi, Amine Amri, and Daniel dos Santos and named: AMNESIA:33, AMNESIA:33 - Forescout |
Advisory release date | 8th December 2020 |
Product Affected | uniFLOW MicroMIND |
Products Reviewed | NT-ware hardware where uIP open-source network stack was implemented. |
CVE | CVE's addressed in this firmware are: CVE-2020-13988, CVE-2020-13987, CVE-2020-17438, CVE-2020-17437 |
Severity
There are multiple severity ratings across the different CVE’s. The overall exploitability is low as an adversary needs to be in the network already. If all factors are met the risk is high and should be addressed.
Summary of Vulnerability
The microMIND utilises the uIP open-source network stack, https://en.wikipedia.org/wiki/UIP_(micro_IP) used by thousands of companies to network enable their software/hardware. The researchers found that if exploited these vulnerabilities could result in a DoS attack taking the device offline or performing Remote Code Execution (RCE) on the microMIND itself. To address these vulnerabilities NT-ware has released a new firmware that addresses all reported issues. At the time of writing this security bulletin there are no known exploits targeting the microMIND.
Exploit name/link: AMNESIA:33, AMNESIA:33 - Forescout
CVE's addressed in this firmware are: CVE-2020-13988, CVE-2020-13987, CVE-2020-17438, CVE-2020-17437
CVE's not related to the MicroMIND implementation of the uIP Stack: CVE-2020-17440, CVE-2020-17439, CVE-2020-24334, CVE-2020-24335
Affected Versions
Product | Affected versions |
uniFLOW microMIND | uniFLOW microMIND Firmware: version 2.0.9 and earlier or delivered prior to October 2020 |
Fixed Versions
Product | Fix versions |
NT-ware microMIND | Firmware versions 2.0.10 and higher. |
What You Need to Do
Please review the advisory and table appropriate action to upgrade your microMIND devices.
Mitigation
If you have an affected microMIND please contact your Canon representative to arrange upgrading the firmware.
Support
If you have further questions, please contact your Canon / Canon Business Partner representative.