Use IWL TCP Test Suite to Avoid CERT Security Advisories

IWL TCP Test Suites Would Have Revealed These Flaws BEFORE they showed up in a CERT Security Advisory.

ICS-CERT (Industrial Control System – Computer Emergency Response Team) is part of the U.S. Department of Homeland Security. Recently CERT issued two Advisories concerning TCP/IP implementation flaws that have existed for years, perhaps decades and are now being found in embedded systems.

Details may be viewed here:

https://www.cisa.gov/news-events/ics-advisories/icsa-19-211-01

The vulnerabilities identified include: Stack-based Buffer Overflow, Heap-based Buffer Overflow, Integer Underflow, Improper Restriction of Operations within the Bounds of a Memory Buffer, Race Condition, Argument Condition or Modification, Null Pointer Dereference, Argument Injection or Modification.

IWL initiated an analysis to verify that our TCP/IP Test Suite would have uncovered these vulnerabilities.

1. CVE-2019-12255: TCP Urgent Pointer = 0 leads to integer underflow

The IWL TCP Test Suite would have revealed this flaw.

The IWL TCP Test Suite contains a test that sets the Urgent Pointer = 0 

Test Name: TCP.Connected.006 SET URG BIT AND URGENT POINTER TO 0.

Description: This test exercises urgent pointer math by setting the URG bit and the pointer value to 0.

Thus, with the IWL TCP/IP Test Suite, this issue could have been discovered and remediated.

2. CVE-2019-12264: Logical flaw in IPv4 assignment by the ipdhcpc Dynamic Host Configuration Protocol (DHCP) client

It is likely that the IWL TCP Test Suite would have revealed this flaw so that it could have been repaired prior to release into products.

This vulnerability permits the sending of a spoofed DHCP response with an invalid IP address, potentially leading to a denial of service in the wireless capability of specific products.

The DHCP tests contained in the IWL TCP Test Suite have two tests to help detect this problem:

• IPv4.DHCPC.011 Set the 'your IP address' field to the broadcast address.
• IPv4.DHCPC.012 Set the 'your IP address' field to the localhost address.

The broadcast and localhost address sent in above two tests are invalid IP address offered to a DHCP client. The proper response is for the client to reject the transaction.

It is apparent that there is an assumption among those who produce network products that old code, or code from open sources is free from flaws and may be safely deployed. Time and time again this assumption has been shown to be unfounded. Many Internet of Things (IoT) devices will never be updated after they leave the factory. So it is important that they be as good as possible before they are shipped, particularly for devices that affect user health, safety, and finances.

And even for those devices that can be updated, it is important that those updates be of high quality.

The IWL TCP/IP Test Suite is a tool that product developers can use to increase the confidence in product quality and help avoid being the subject of a CERT advisory.