Security Advisory 2020-12-08
Executive summary
“Amnesia” research shows vulnerabilities in the Contiki ecosystem, Yanzi customer impact unlikely, software updates automatically deployed, no user action required.
Details
This security advisory addresses the “Amnesia” suite of vulnerabilities found in the industry-leading Contiki open-source operating system. Yanzi has been a long-time contributor to Contiki and Contiki-NG and is using certain modules in its products. In light of the discovery Altacogni assessed the findings of the researchers and any eventual impact to Yanzi products and services. We found that most issues were present in modules and code which is not included in the firmware deployed by the Yanzi Solution.
For those modules included and affected, Yanzi has included the latest security bug fixes from the Contiki-NG projects. In addition, several fixes and mitigations deployed by Yanzi have been contributed back upstream to the community.
Most of the issues found and listed below are related to badly formatted IPv6 packets triggering a variety of issues. Customer impact is unlikely as the exploits require the link-layer authentication and encryption to be compromised before the attacks can be performed. Nevertheless, Altacogni takes this seriously and has automatically deployed the updated software to all (connected) Yanzi systems.
Altacogni would like to thank the security researchers for the invaluable work they do for security in the Contiki and IoT ecosystems.
Related CVEs and comments
CVE-2020-13984 The specific issue is related to RPL extension header handling and not checking size of increment and the use of 8-bit variables that might wrap and cause an infinite loop.
This is fixed in both Contiki-NG and the fix is part of our latest releases.
CVE-2020-13985 The specific issue is related to RPL extension header handling and not checking size of input parameters combined with the use of 8-bit variables. In this case it is possible to perform memory corruptions.
This issue is also fixed and part of our latest releases.
CVE-2020-13986 Another issue with RPL extension header handling and in this case not checking actual increment of the loop and that can in some specific cases end up in an infinite loop.
This is fixed in both Contiki-NG and the fix is part of our latest releases.
CVE-2020-13987 When calculating the checksum for IP data, the function upper_layer_chksum() doesn't check the validity of the length field of the upper layer (TCP/UDP) segment. This might cause checksum calculation of more data than exists in the buffer. This bug still exists in upstream Contiki at the time of writing and can be triggered if packets come in over ethernet or as RAW IPv6 packets.
The Yanzi Solution is not affected by this issue.
CVE-2020-17438 The code that reassembles fragmented packets fails to properly validate the total length of an incoming packet specified in its IP header, as well as the fragmentation offset value specified in the IP header.
IPv6 Fragmentation is not enabled in the Yanzi Solution.
CVE-2020-25112 Several issues such as insufficient checks for the IPv4/IPv6 header length.
The Yanzi solution employs a significantly modified version of the relevant software module, which has several improvements and checks implemented. We do use 6LoWPAN compression for all IPv6 packets which ensures that they will get a correct length which should avoid any possibility of injecting packets with incorrect length information. Nevertheless, we did review the relevant code in light of the upstream findings.