TID-202: Exploitable System Network Stack Component
Threat Description
Devices may have vulnerabilities within software used to parse various network protocols. If the device does not properly parse a protocol, a threat actor can send improperly formatted messages to the device, which may result in memory corruptions. Vulnerabilities resulting from protocol manipulation can then be used to perform remote code execution or to perform a denial of service attack on the device. There are a number of known complexities with network protocol parsing, including unclear protocol specifications or parsing expectation.
Threat Maturity and Evidence
Known Exploitable Weakness
Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets
“Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit.”
Ripple20
“Ripple20 vulnerabilities are unique both in their widespread effect and impact due to supply chain effect and being vulnerabilities allowing attackers to bypass NAT and firewalls and take control of devices undetected, with no user interaction required. This is due to the vulnerabilities being in a low level TCP/IP stack, and the fact that for many of the vulnerabilities, the packets sent are very similar to valid packets, or, in some cases are completely valid packets. This enables the attack to pass as legitimate traffic.”
Urgent/11
“The Armis research team, Armis Labs, has discovered 11 zero-day vulnerabilities in VxWorks®, the most widely used operating system you may have never heard about. VxWorks is used by over 2 billion devices including critical industrial, medical and enterprise devices. Dubbed “URGENT/11,” the vulnerabilities reside in VxWorks’ TCP/IP stack (IPnet), impacting all versions since version 6.5, and are a rare example of vulnerabilities found to affect the operating system over the last 13 years. Armis has worked closely with Wind River®, the maintainer of VxWorks, and the latest VxWorks 7 released on July 19 contains fixes for all the discovered vulnerabilities.”
AMNESIA:33
“In this study, we discuss the results of the security analysis of seven open source TCP/IP stacks and report a bundle of 33 new vulnerabilities found in four of the seven analyzed stacks that are used by major IoT, OT and IT device vendors”
CWE
CWE-20: Improper Input Validation (Class)
“The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.”
CWE-121: Stack-based Buffer Overflow (Simple)
“A stack-based buffer overflow condition is a condition on where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).”
CVE
ICSA-13-291-01B
“An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. The system must be restarted manually to clear the condition.”
CVE-2013-2811: GE Proficy HMI/SCADA DNP3 Driver Input Validation
“The DNP master station server (DNPDrv.exe) that processes incoming messages via Serial, IP, or Modem does not validate all inputs and can be exploited to generate an unhandled exception or denial of service.”
CVE-2019-6529: Kunbus PR100088 Modbus Gateway
“An attacker could specially craft an FTP request that could crash the device.”
CVE-2013-0662: Schneider Electric Serial Modbus Driver Buffer Overflow
“The Modbus Serial Driver creates a listener on Port 27700/TCP. When a connection is made, the Modbus Application Header is first read into a buffer. If a large buffer size is specified in this header, a stack-based buffer overflow results. A second overflow problem can then be exploited by overwriting the return address, allowing the attacker to execute arbitrary code with the permission of the user running the software.”