Author Topic: Security flaws in Wind River's IPnet embedded TCP/IP stack  (Read 136 times)

0 Members and 1 Guest are viewing this topic.

Offline splin

  • Frequent Contributor
  • **
  • Posts: 810
  • Country: gb
Security flaws in Wind River's IPnet embedded TCP/IP stack
« on: October 04, 2019, 05:44:33 pm »
The US Food and Drug Administration is warning hospital IT admins to keep a close eye on their networks following the discovery of security vulnerabilities in a relatively obscure and dated TCP/IP stack – IPnet – used in embedded devices.

The flaws, mostly buffer overflows and memory in various components of IPnet, can be potentially exploited by miscreants to remotely take control of equipment, in this case medical implants and the base stations that manage them.

Not exactly a surprise, but potentially a big problem for products with embedded stacks, most having no prospect of getting firmware updates even if owners get to know there is a problem. The article doesn't suggest that the flaws have been exploited (yet) and you would hope that such equipment would be behind a decent firewall, but that isn't sufficient to ensure safety. I guess most embedded kit with TCP/IP stacks use it to provide a Web interface for control purposes and that the main danger would be equipment that connects to an external server for DRM/licencing/billing/update purposes?

Using a commercial, supported product rather one of the free offerings such as LwIP doesn't necessarily help - at some point the stack vendor will drop support or go out of business. If you have access to the source code you at least have the chance to fix the code, although getting the updated firmware installed in all the products you've sold is another matter.

Is it likely that you, as a manufacturer of an embedded product with a TCP/IP stack, could get sued if a customer suffers loss that can be traced to a security flaw in your product? Obviously that is going to depend on where you, and your customers are in the world. OTOH security vulnerabilities don't seem to worry the likes of router manufacturers who rarely bother to offer updates - let the customer buy the latest version (with its own unique set of bugs) if they're worried.

Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo