2 Advisories and 1 Update Published – 2-11-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Rockwell and multiple embedded TCP/IP stacks.

Rockwell Advisory

This advisory describes an uncontrolled search path element vulnerability in the Rockwell DriveTools SP and Drives AOP. The vulnerability was reported by Claroty and Cognite, Rockwell has an update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with local access could exploit the vulnerability resulting in privilege escalation and complete control of the system.

TCP/IP Stacks Advisory

This advisory describes nine separate use of insufficiently random values vulnerabilities in multiple open-source and proprietary TCP/IP stacks. The vulnerabilities (nicknamed NUMBER:JACK) were reported by Daniel dos Santos, Stanislav Dashevskyi, Jos Wetzels, and Amine Amri of Forescout Research Labs. Some the affected vendors have new versions that mitigate the vulnerability in their TCP/IP stack.

The nine reported CVE’s (each generally associated with a separate TCP/IP stack vendor) are:

• CVE-2020-27213 - Nut/Net 5.1 - Patch in progress

• CVE-2020-27630 - uC/TCP-IP 3.6.0 - Patched in the latest version of Micrium OS (successor project),

• CVE-2020-27631 - CycloneTCP 1.9.6 - Patched in version 2.0.0,

• CVE-2020-27632 - NDKTCPIP 2.25 - Patched in version 7.02 of Processor SDK,

• CVE-2020-27633 - FNET 4.6.3 - Documentation updated to warn users and recommend implementing their own PRNG [pseudorandom number generator],

• CVE-2020-27634 - uIP 1.0 Contiki-OS 3.0 Contiki-NG 4.5 - No response from maintainers,

• CVE-2020-27635 - PicoTCP 1.7.0 PicoTCP-NG - Version 2.1 removes the default (vulnerable) implementation and recommends users implement their own PRNG,

• CVE-2020-27636 - MPLAB Net 3.6.- Patched in version 3.6.4.

• CVE-2020-28388 Nucleus NET 4.3 -Patched in Nucleus NET 5.2 and Nucleus ReadyStart v2012.12.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to hijack or spoof TCP connections, cause denial-of-service conditions, inject malicious data, or bypass authentication.

NOTE: The “NUMBER:JACK” report explains that “Forescout Research Labs has released an open source script that uses active fingerprinting to detect which stack a target device is running.” {pg 6}.

Commentary: Oh this is going to be a fun one. I foresee lots of equipment vendor advisories in the works as everyone scrambles to try to fix this mess. BTW, the Report notes that an attack on this type of vulnerability in the old IT world was known as a Mitnick Attack.

CodeMeter Update

This update provides new information on an advisory that was originally published on September 8^th, 2020 and most recently updated on December 3^rd, 2020. The new information includes adding links to the vendor alert from Drager.