Multiple Embedded TCP/IP Stacks
Act Now9.8ICS-CERT ICSA-20-343-01Dec 8, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple critical vulnerabilities exist in widely-used embedded TCP/IP stacks (CWE-835, CWE-190, CWE-125, CWE-787, CWE-20, CWE-170) affecting uIP, uIP-Contiki-NG, Nut/Net, FNET, open-iscsi, picoTCP, and uIP-Contiki-OS. These flaws include integer overflows, infinite loops, buffer overflows, and out-of-bounds reads that allow attackers to corrupt memory, trigger denial of service, exfiltrate data, and poison DNS caches. The vulnerabilities require no authentication and can be exploited with standard network packets sent to any reachable device using these stacks. Several products are end-of-life and will not receive patches. Affected vendors include Siemens, Microchip, Harting, Genetec, and others.
What this means
What could happen
An attacker could exploit multiple memory and DNS poisoning flaws in embedded TCP/IP stacks used in ICS/SCADA devices, potentially corrupting device memory, causing devices to hang or enter infinite loops, exfiltrating sensitive data, or poisoning DNS lookups that control systems rely on for communication with servers or peers.
Who's at risk
Any organization using industrial equipment, remote I/O modules, embedded gateways, iSCSI storage controllers, or sensor networks that rely on the listed embedded TCP/IP stacks (uIP, Nut/Net, FNET, open-iscsi, picoTCP, uIP-Contiki variants) is affected. This includes water utilities, power distributors, manufacturing facilities, and critical infrastructure operators using devices from listed vendors (Siemens, Microchip, Harting, FEIG, Genetec, Yanzi Networks, and others). End-of-life products (uIP, picoTCP, uIP-Contiki-OS) present the highest risk because they will not receive patches.
How it could be exploited
An attacker with network access to a device running one of these vulnerable TCP/IP stacks (e.g., a field device, PLC, or remote gateway) could craft malicious network packets that trigger integer overflow, infinite loops, buffer overflows, or out-of-bounds reads. These packets can be sent over standard TCP/IP connections without authentication, causing memory corruption, denial of service, or information disclosure. DNS poisoning could be used to redirect control system traffic to attacker-controlled servers.
Prerequisites
- Network connectivity to the affected device (no authentication required)
- Device must be running one of the affected TCP/IP stack versions listed above
- For DNS poisoning attacks, the device must rely on DNS lookups for name resolution
Remotely exploitable over network without authenticationLow attack complexity (standard network packets)High CVSS score (9.8 critical)High EPSS probability (16.5%)Multiple memory corruption and denial-of-service flawsNo patch available for EOL products (uIP, picoTCP, uIP-Contiki-OS)Affects numerous critical infrastructure vendorsDNS poisoning could redirect control system communications
Exploitability
High exploit probability (EPSS 16.5%)
Affected products (8)
3 with fix5 EOL
ProductAffected VersionsFix Status
uIP (EOL):≤ 1.0No fix (EOL)
uIP-Contiki-NG:≤ 4.5No fix (EOL)
Nut/Net:≤ 5.1latest version
FNET:4.6.34.7.0 or later
open-iscsi:≤ 2.1.12latest version
picoTCP (EOL):≤ 1.7.0No fix (EOL)
picoTCP-NG:≤ 1.7.0No fix (EOL)
uIP-Contiki-OS (end-of-life [EOL]):≤ 3.0No fix (EOL)
Remediation & Mitigation
0/10
Do now
0/2WORKAROUNDRestrict network access to devices running these TCP/IP stacks using firewall rules; block inbound connections from untrusted networks
WORKAROUNDDeploy internal DNS server with DNS-over-HTTPS to prevent DNS poisoning attacks
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
uIP (EOL):
HOTFIXContact picoTCP-NG maintainers for patch availability; consider replacing EOL picoTCP instances with maintained alternative TCP/IP stacks
All products
HOTFIXUpdate FNET to version 4.7.0 or later
HOTFIXUpdate uIP-Contiki-NG to the latest available version
HOTFIXUpdate open-iscsi to the latest available version
HOTFIXUpdate Nut/Net to the latest available version from vendor website
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: uIP (EOL):, uIP-Contiki-NG:, picoTCP (EOL):, picoTCP-NG:, uIP-Contiki-OS (end-of-life [EOL]):. Apply the following compensating controls:
HARDENINGIsolate control system networks containing affected devices from business networks and the Internet using air gaps or VPNs with multi-factor authentication
HARDENINGImplement network segmentation to ensure ICS devices are not directly Internet-accessible
HARDENINGInventory all devices using vulnerable TCP/IP stacks (uIP, uIP-Contiki, FNET, open-iscsi, picoTCP, Nut/Net) and evaluate replacement options for EOL products
CVEs (33)
CVE-2020-13984CVE-2020-13985CVE-2020-13986CVE-2020-13987CVE-2020-13988CVE-2020-17437CVE-2020-17438CVE-2020-17439CVE-2020-17440CVE-2020-17441CVE-2020-17442CVE-2020-17443CVE-2020-17444CVE-2020-17445CVE-2020-17467CVE-2020-17468CVE-2020-17469CVE-2020-17470CVE-2020-24334CVE-2020-24335CVE-2020-24336CVE-2020-24337CVE-2020-24338CVE-2020-24339CVE-2020-24340CVE-2020-24341CVE-2020-24383CVE-2020-25107CVE-2020-25108CVE-2020-25109CVE-2020-25110CVE-2020-25111CVE-2020-25112
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d8c16758-b520-4da8-8924-3d802d0398e1