It has been brought to our attention by the 'Federal Office for Information Security' (BSI) that the network implementation within the microMIND is vulnerable to a number of exploits. These vulnerabilities were discovered by 'Forescout Technologies', researchers Jos Wetzels, Stanislav Dashevskyi, Amine Amri, and Daniel dos Santos and named: AMNESIA:33, https://www.forescout.com/amnesia33/
Advisory release date
8th December 2020
NT-ware hardware where uIP open-source network stack was implemented.
CVE's addressed in this firmware are: CVE-2020-13988, CVE-2020-13987, CVE-2020-17438, CVE-2020-17437 CVE's not related to the MicroMIND implementation of the uIP Stack: CVE-2020-17440, CVE-2020-17439, CVE-2020-24334, CVE-2020-24335
There are multiple severity ratings across the different CVE’s. The overall exploitability is low as an adversary needs to be in the network already. If all factors are met the risk is high and should be addressed.
Summary of Vulnerability
The microMIND utilises the uIP open-source network stack, https://en.wikipedia.org/wiki/UIP_(micro_IP) used by thousands of companies to network enable their software/hardware. The researchers found that if exploited these vulnerabilities could result in a DoS attack taking the device offline or performing Remote Code Execution (RCE) on the microMIND itself. To address these vulnerabilities NT-ware has released a new firmware that addresses all reported issues. At the time of writing this security bulletin there are no known exploits targeting the microMIND.
Exploit name/link: AMNESIA:33, https://www.forescout.com/amnesia33/ CVE's addressed in this firmware are: CVE-2020-13988, CVE-2020-13987, CVE-2020-17438, CVE-2020-17437 CVE's not related to the MicroMIND implementation of the uIP Stack: CVE-2020-17440, CVE-2020-17439, CVE-2020-24334, CVE-2020-24335
uniFLOW microMIND Firmware: version 2.0.9 and earlier or delivered prior to October 2020
Firmware versions 2.0.10 and higher.
What You Need to Do
Please review the advisory and table appropriate action to upgrade your microMIND devices.
If you have an affected microMIND please contact your Canon representative to arrange upgrading the firmware.
If you have further questions, please contact your Canon / Canon Business Partner representative.