A raft of pre-authenticated vulnerabilities in the aged but widely used Treck TCP/IP stack can lead to both denial-of-service (DoS) and remote code execution (RCE) on target systems.
Users of the networking protocol library, used for embedded IoT, OT, and IT devices since it was developed in the late 1990s, have been urged to upgrade their systems.
The technology stack appears to still be widely used given that Israeli cybersecurity firm JSOF said that 19 zero-day vulnerabilities that it disclosed in the library six months ago could affect “hundreds of millions of devices”.
Vendors potentially affected by the ‘Ripple20’ flaws included Fortune 500 companies HP, Schneider Electric, and Rockwell Automation, along with organizations operating in the medical, transportation, industrial controls, energy, telecoms, and retail sectors, added JSOF.
A “high skill level is needed to exploit” the latest batch of flaws, and “no known public exploits specifically target these vulnerabilities”, according a security advisory (currently inaccessible) issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Buffer overflow
Earning a CVSS score of 9.8, a heap-based buffer overflow (CVE-2020-25066) in the Treck HTTP server was the most serious of two critical bugs among a quartet of vulnerabilities reported to Treck by Intel Corporation.
A remote attacker who successfully exploited the flaw could both crash the target system and execute arbitrary commands.
The other critical vulnerability, an out-of-bounds write bug (CVE-2020-27337) in the IPv6 component, could allow malicious actors to gain network access and cause DoS.
The other flaws include a medium severity out-of-bound read in the DHCPv6 client component (CVE-2020-27338), and a low-risk improper input validation vulnerability in IPv6 (CVE-2020-27336).
Remediation and mitigation
The bugs, which were publicly disclosed on December 18, affect versions 6.0.1.67 and earlier of Treck TCP/IP stack.
All vulnerabilities have been remediated in the latest version, 6.0.1.68, as per Treck’s security advisory.
Ohio-based Treck has released a new detection tool via GitHub to help security teams ascertain whether network devices are running vulnerable builds.
CISA’s advisory offers mitigations in lieu of a system update, including implementing firewall rules and isolating control system networks and devices from the internet and corporate network.
The disclosure follows the emergence earlier this month of 33 vulnerabilities in four open source TCP/IP protocols – dubbed AMNESIA:33 by Forescout researchers – that left more than a million embedded devices vulnerable to takeover.
The Daily Swig has invited Treck to comment further and we will update this story if and when we hear back.
Source: https://portswigger.net/daily-swig/vulnerabilities-in-treck-tcp-ip-stack-open-the-door-to-dos-remote-code-execution-exploits