Multiple Embedded TCP/IP Stacks (Update B)

Plan Patch7.5ICS-CERT ICSA-21-042-01Feb 11, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple embedded TCP/IP stacks contain weak initial sequence number (ISN) generation, allowing attackers to predict TCP connection sequences. Successful exploitation can be used to hijack or spoof TCP connections, cause denial-of-service, inject malicious data, or bypass authentication. Affected stacks include MPLAB Net, picoTCP-NG, FNET, Nucleus NET, CycloneTCP, NDKTCPIP, Nut/Net, Nucleus ReadyStart, uIP variants, uC/TCP-IP, and others.

What this means

What could happen

An attacker could hijack or spoof TCP connections on your control devices, allowing data injection, denial-of-service attacks, or authentication bypass if those devices use one of the affected embedded TCP/IP stacks.

Who's at risk

This affects any industrial device or embedded system running one of the listed TCP/IP stacks, including PLCs, RTUs, control modules, and embedded devices across water treatment, power distribution, manufacturing, and building automation. Legacy and end-of-life systems are particularly at risk since many have no patch available.

How it could be exploited

An attacker with network access to your control system network could send specially crafted TCP packets that exploit weak initial sequence number generation. This allows them to predict or forge TCP connection sequences, potentially taking over legitimate connections or injecting malicious commands into the data stream without needing to intercept the original traffic.

Prerequisites

Network access to affected device (same network segment or across network if routed)
No authentication required to exploit the TCP/IP stack weakness

remotely exploitableno authentication requiredlow complexityno patch available for many productsaffects legacy/end-of-life systems

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (15)

7 with fix5 pending3 EOL

ProductAffected VersionsFix Status

uIP-Contiki-OS (end-of-life [EOL]):≤ 3.0No fix yet

Nucleus Source Code: All VersionsAll versionsNo fix yet

Nut/Net:≤ 5.1No fix yet

Capital VSTAR: All VersionsAll versionsNo fix yet

uIP-Contiki-NG:≤ 4.5No fix yet

MPLAB Net:≤ 3.6.13.6.4 or later

picoTCP-NG:≤ 1.7.02.1 or later

FNET:4.6.34.7.1 or later

Remediation & Mitigation

0/11

Do now

0/2

HARDENINGRestrict network access to devices running affected TCP/IP stacks using firewalls and access control lists

WORKAROUNDEnable Transport Layer Security (TLS) or other cryptographic protocols to protect data in transit for critical control communications

Schedule — requires maintenance window

0/8

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MPLAB Net to Version 3.6.4 or later

HOTFIXUpdate picoTCP-NG to Version 2.1 or later

HOTFIXUpdate FNET to Version 4.7.1 or later

HOTFIXUpdate CycloneTCP to Version 2.0.0 or later

HOTFIXUpdate NDKTCPIP to Version 7.02 or later

HOTFIXUpdate Nucleus ReadyStart for ARM, MIPS, and PPC to v2012.12 or later

HOTFIXUpdate Nucleus NET to version 5.2 or later

HOTFIXContact Siemens customer support for Capital VSTAR and Nucleus Source Code patch information

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: uC/TCP-IP (EOL):, uIP (EOL):, picoTCP (EOL):. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate control system networks from business networks and the Internet

CVEs (9)

CVE-2020-27213 CVE-2020-27630 CVE-2020-27631 CVE-2020-27632 CVE-2020-27633 CVE-2020-27634 CVE-2020-27635 CVE-2020-27636 CVE-2020-28388

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close