EMU-SEC20201201: Multiple Vulnerabilities in EMU Professional TCP/IP

Publication Date: 2020-12-08
Last Update: initial version
Current Version: 1.0
CVSS v3.1 Base Score: 7.5 - 8.2

 

SUMMARY
=======

Security researchers have discovered multiple vulnerabilities in the embedded
TCP/IP software in these products - commonly referred to as "AMNESIA:33" -
through a combination of both static code analysis and testing of the software
in a lab setting for potential abuse.

This advisory is a reminder to customers that access to the device should always
be secured. EMU supports their customers in this endeavor by trying to provide updates to close
any known vulnerabilities.

AFFECTED PRODUCTS AND SOLUTION
==============================

* EMU Professional 3/75 TCP/IP
- Affected versions:
All versions with module-version >= 3.0 and <= 3.2
- Remediation:
See recommendations from section Workarounds and Mitigations

* EMU Professional 3/5 TCP/IP
- Affected versions:
All versions with module-version >= 3.0 and <= 3.2
- Remediation:
See recommendations from section Workarounds and Mitigations

* EMU Professional 3/75 TCP/IP
- Affected versions:
All versions with module-version <= 2.9
- Remediation:
Product was discontinued in Octobre 2016 and is End of Support
The successor is EMU Professional 3/75 TCP/IP with module-version 3.3

* EMU Professional 3/5 TCP/IP
- Affected versions:
All versions with module-version <= 2.9
- Remediation:
Product was discontinued in Octobre 2016 and is End of Support
The successor is EMU Professional 3/5 TCP/IP with module-version 3.3

* EMU M-BUS Logger 60
- Affected versions:
All versions
- Remediation:
Product was discontinued in February 2017 and is End of Support
The successor is the M-BUS Center 60

* EMU S0-Logger
- Affected versions:
All versions
- Remediation:
Product was discontinued in February 2018 and is End of Support
The successor is the M-BUS Center 60

WORKAROUNDS AND MITIGATIONS
===========================

EMU has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* EMU-Professional 3/75 TCP/IP and EMU-Professional 3/5 TCP/IP with module-version >= 3.0 and <= 3.2
- Update to the latest firmware version 3.3

* all other products:
- switch to the corresponding successor

GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, EMU strongly recommends to protect
network access to devices with appropriate mechanisms.

PRODUCT DESCRIPTION
===================

EMU Professional TCP is a 3phase energy meter equipped with an embedded webserver
and Modbus TCP.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.

 

* Vulnerability CVE-2020-13988

The routine for parsing TCP MSS options relies on a `uint8_t`
counter that under certain conditions will be only mutated depending on an
arbitrary MSS option's length value.
If that length value is `0xff`, the counter will be decremented and thus
pointing on a value according to which the counter will be incremented.
This will go one infinitely resulting in an infinite loop.

CVSS v3.1 Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-190

* Vulnerability CVE-2020-13987

When calculating the checksum for IP data, the function
in question doesn't check the validity of the `length field` of the
`upper layer (TCP/UDP)` segment against the length of the internal buffer
`uip_buf`. That would result eventually into an `Out of bounds read` bug which might
result in DoS. The latter depends on how the platform implements memory protection
and the out of bound read size.

CVSS v3.1 Base Score: 8.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CWE: CWE-125

* Vulnerability CVE-2020-17440

The code that parses incoming DNS packets does not validate
that domain names present in the DNS responses are NULL terminated.
This results in errors when calculating the offset of the pointer that jumps
over domain name bytes in DNS response packets when domain names are not
NULL terminated, and eventually leads to dereferencing the pointer at an invalid address.

CVSS v3.1 Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476

* Vulnerability CVE-2020-17439

The code that parses incoming DNS packets does not validate
that the incoming DNS replies match outgoing DNS queries, and arbitrary DNS replies
are parsed if there was ANY outgoing DNS query with transaction id that matches the
transaction id of an incoming reply.

Provided that the default DNS cache is quite small (only four records) and that
the transaction id has a very limited set of values that is quite easy to guess,
this can lead to DNS cache poisoning.

CVSS v3.1 Base Score: 8.1
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
CWE: CWE-923

* Vulnerability CVE-2020-17437

When TCP Urgent flag is set in a TCP packet, and the stack is configured to ignore
the urgent data, the stack will attempt to use the value of the Urgent pointer bytes
to separate the Urgent data from the normal data by calculating the offset at which
the normal data should be present in the global buffer. The problem is that the length
of this offset is not checked, therefore for large values of the Urgent pointer bytes,
the data pointer can point to some memory that is way beyond the data buffer.
Also the length of the normal TCP data is not validated.

CVSS v3.1 Base Score: 8.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CWE: CWE-125

Credit
======
All issues in this advisory were discovered and reported by Jos Wetzels, Amine Amri, Stanislav Dashevskyi and Daniel dos Santos at Forescout Technologies

ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in EMU products and
solutions, please contact the EMU Support:

HISTORY DATA
============

V1.0 (2020-12-08): Publication Date

9th Oct 2020: Fingerprint | 676A DDF0 B67C 7E76 5EEF 3D0B CDB2 5BB6 2C91 007F