Multiple TCP/IP stacks vulnerabilities
Canon Medical Systems Security Advisory
Overview:
It was announced that there are multiple security vulnerabilities in multiple TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices. These vulnerabilities are also tracked as the name NAME:WRECK. TCP/IP stacks provide essential network communication capability. The following TCP/IP stacks were discovered to have 9 vulnerabilities related to Domain Name System (DNS) implementations, causing either Denial of Service (DoS) or Remote Code Execution (RCE).
- FreeBSD (vulnerable version: 12.1)
- IPnet (vulnerable version: VxWorks 6.6)
- NetX (vulnerable version: 6.0.1)
- Nucleus NET (vulnerable version: 4.3)
| CVE ID | Stack | Description | Affected Component | Potential Impact | CVSS v3.1 |
| CVE-2020-7461 | FreeBSD | The vulnerability exists due to a boundary error when parsing option 119 data in DHCP packets in dhclient(8). A remote attacker on the local network can send specially crafted data to the DHCP client, trigger heap-based buffer overflow and execute arbitrary code on the target system. | Message compression | RCE | 7.7 |
| CVE-2016-20009 | IPnet | The DNS client has a stack-based overflow on the message decompression function leading to a potential RCE. | Message compression | RCE | 9.8 |
| CVE-2020-15795 | Nucleus NET | The DNS domain name label parsing functionality does not properly validate the names in DNS responses. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition. | Domain name label parsing | RCE | 8.1 |
| CVE-2020-27009 | Nucleus NET | The DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a write past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to execute code in the context of the current process or cause a denial-of-service condition. | Message compression | RCE | 8.1 |
| CVE-2020-27736 | Nucleus NET | The DNS domain name label parsing functionality does not properly validate the name in DNS responses. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition. | Domain name label parsing | DoS | 6.5 |
| CVE-2020-27737 | Nucleus NET | The DNS response parsing functionality does not properly validate various length and counts of the records. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition. | Domain name label parsing | DoS | 6.5 |
| CVE-2020-27738 | Nucleus NET | The DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a read access past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability cause a denial-of-service condition. | Message compression | DoS | 6.5 |
| CVE-2021-25677 | Nucleus NET | The DNS client does not properly randomize DNS transaction ID (TXID) and UDP port numbers, allowing attackers to perform DNS cache poisoning/spoofing attacks. | Transaction ID | DNS cache poisoning /spoofing | 5.3 |
| (waiting for a CVE ID to be assigned) | NetX | In the DNS resolver component, functions _nx_dns_name_string_unencode and _nx_dns_resource_name_real_size_calculate do not check that the compression pointer does not equal the same offset currently being parsed, which could lead to an infinite loop. In the function _nx_dns_resource_name_real_size_calculate the pointer can also point forward and there is no out-ofbounds check on the packet buffer. | Message compression | DoS | 6.5 |
Possible Affected Canon Medical Systems Products:
Canon Medical Systems Corporation is not using these four TCP/IP stacks versions in its products. Canon Medical Systems Corporation is currently investigating whether there is any impact to third party components used in the products. If any impact is found, it will be informed to customer immediately.
- FreeBSD (vulnerable version: 12.1)
- IPnet (vulnerable version: VxWorks 6.6)
- NetX (vulnerable version: 6.0.1)
- Nucleus NET (vulnerable version: 4.3)
Affected Canon Medical Systems Products
・ None
Canon Medical Products under investigation
・ None
Resolution:
・ None
Due to medical device regulatory reasons, not all products/service displayed on this Canon Medical Systems Asia webpage are available in all countries, regions or markets. Future availability of the products/service cannot also be guaranteed. Please contact your local Canon Medical Systems representative for further details.
