x
Limited Time Offer: Save up to 20% on a new CIS SecureSuite Membership | Learn more
×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

Multiple Vulnerabilities in NicheStack Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2021-100

DATE(S) ISSUED:

08/08/2021

OVERVIEW:

Multiple vulnerabilities have been discovered in NicheStack, the most severe of which could result in remote code execution. NicheStack are networking protocol libraries specifically designed for embedded systems and are widely used. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of the application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • InterNiche stack versions prior to v4.3
  • NicheLite versions prior to v4.3

RISK:

Government:
  • Large and medium government entities: MEDIUM
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: MEDIUM
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in NicheStack, the most severe of which could allow for remote code execution. Details of the vulnerabilities are as follows:

  • When parsing DNS domain names, there are no checks on whether a domain name compression pointer is pointing within the bounds of the packet, which may result in an out-of-bounds read. (CVE-2020-25767)
  • The routine for parsing DNS response packets does not check the “response data length” field of individual DNS answers, which may cause an out-of-bounds read/write. (CVE-2020-25928)
  • The number of queries or responses specified in the DNS packet header is not validated with the query/response data available in the DNS packet, leading to an out-of-bounds read. (CVE-2020-25927)
  • The DNS client does not sufficiently randomize transaction IDs, facilitating DNS cache poisoning attacks. (CVE-2020-25926)
  • The code that parses ICMP packets relies on an unchecked value of the IP payload size to compute the ICMP checksum, which may result in an out-of-bounds read. (CVE-2020-35683)
  • The code that parses TCP packets relies on an unchecked value of the IP payload size to compute the length of the TCP payload within the TCP checksum computation function, which may result in an out-of-bounds read. (CVE-2020-35684)
  • TCP ISNs are insufficiently randomized, which may result in TCP spoofing by an attacker. (CVE-2020-35685)
  • The TCP urgent data processing function may invoke a panic function, which may result in an infinite loop. (CVE-2021-31400)
  • An attacker could send a specially crafted IP packet to trigger an integer overflow due to the lack of IP length validation. (CVE-2021-31401)
  • A potential heap buffer overflow exists in the code that parses the HTTP POST request due to lack of size validation. (CVE-2021-31226)
  • A potential heap buffer overflow exists in the code that parses the HTTP POST request due to an incorrect signed integer comparison. (CVE-2021-31227)
  • An attacker may be able to predict DNS queries’ source port to then send forged DNS response packets, which may be accepted as valid answers. (CVE-2021-31228)
  • Unhandled HTTP requests result in an infinite loop that disrupts TCP/IP communication. (CVE-2021-27565)
  • The TFTP packet processing function does not ensure that the filename is null-terminated, which may result in a denial-of-service condition. (CVE-2021-36762)

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the application. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Run all software as a nonprivileged user with minimal access rights. To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
  • Deploy network intrusion detection systems to monitor network traffic for malicious activity.
  • Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
  • Do not accept or execute files from untrusted or unknown sources.
  • To reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.
  • Implement multiple redundant layers of security. Since this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0