Treck TCP/IP Stack (Update I)

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Treck Inc.
• Equipment: TCP/IP
• Vulnerabilities: Improper Handling of Length Parameter Inconsistency, Improper Input Validation, Double Free, Out-of-bounds Read, Integer Overflow or Wraparound, Improper Null Termination, Improper Access Control

CISA is aware of a public report, known as "Ripple20" that details vulnerabilities found in the Treck TCP/IP stack. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

The Treck TCP/IP stack may be known by other names such as Kasago TCP/IP, ELMIC, Net+ OS, Quadnet, GHNET v2, Kwiknet, or AMX.

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow remote code execution or exposure of sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The Treck TCP/IP stack is affected, including:

• Treck Inc TCP/IP: IPv4
• Treck Inc TCP/IP: IPv6
• Treck Inc TCP/IP: UDP
• Treck Inc TCP/IP: DNS
• Treck Inc TCP/IP: DHCP
• Treck Inc TCP/IP: TCP
• Treck Inc TCP/IP: ICMPv4
• Treck Inc TCP/IP: ARP

3.2 Vulnerability Overview

3.2.1 IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130

Improper handling of length parameter inconsistency in IPv4/UDP component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution.

CVE-2020-11896 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.2 IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130

Improper handling of length parameter inconsistency in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in possible out-of-bounds write.

CVE-2020-11897 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.3 IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130

Improper handling of length parameter inconsistency in IPv4/ICMPv4 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in out-of-bounds read.

CVE-2020-11898 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.2.4 IMPROPER INPUT VALIDATION CWE-20

Improper input validation in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds read and a possible denial of service.

CVE-2020-11899 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

3.2.5 DOUBLE FREE CWE-415

Possible double free in IPv4 tunneling component when handling a packet sent by a network attacker. This vulnerability may result in use after free.

CVE-2020-11900 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.6 IMPROPER INPUT VALIDATION CWE-20

Improper input validation in DNS resolver component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution.

CVE-2020-11901 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.7 IMPROPER INPUT VALIDATION CWE-20

Improper input validation in IPv6 over IPv4 tunneling component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds read.

CVE-2020-11902 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

3.2.8 OUT-OF-BOUNDS READ CWE-125

Possible out-of-bounds read in DHCP component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information.

CVE-2020-11903 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.9 INTEGER OVERFLOW OR WRAPAROUND CWE-190

Possible integer overflow or wraparound in memory allocation component when handling a packet sent by an unauthorized network attacker may result in out-of-bounds write.

CVE-2020-11904 has been assigned to this vulnerability. A CVSS v3 base score of 5.6 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

3.2.10 OUT-OF-BOUNDS READ CWE-125

Possible out-of-bounds read in DHCPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information.

CVE-2020-11905 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.11 IMPROPER INPUT VALIDATION CWE-20

Improper input validation CWE-20 in ethernet link layer component from a packet sent by an unauthorized user.

CVE-2020-11906 has been assigned to this vulnerability. A CVSS v3 base score of 5.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

3.2.12 IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130

Improper handling of length parameter inconsistency in TCP component, from a packet sent by an unauthorized network attacker.

CVE-2020-11907 has been assigned to this vulnerability. A CVSS v3 base score of 5.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

3.2.13 IMPROPER NULL TERMINATION CWE-170

Improper null termination in DHCP component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information.

CVE-2020-11908 has been assigned to this vulnerability. A CVSS v3 base score of 3.1 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.2.14 IMPROPER INPUT VALIDATION CWE-20

Improper input validation in IPv4 component when handling a packet sent by an unauthorized network attacker.

CVE-2020-11909 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.15 IMPROPER INPUT VALIDATION CWE-20

Improper input validation in ICMPv4 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds read.

CVE-2020-11910 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.16 IMPROPER ACCESS CONTROL CWE-284

The affected product is vulnerable to improper access control, which may allow an attacker to change one specific configuration value.

CVE-2020-11911 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.2.17 IMPROPER INPUT VALIDATION CWE-20

Improper input validation in TCP component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds read.

CVE-2020-11912 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.18 IMPROPER INPUT VALIDATION CWE-20

Improper input validation in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds read.

CVE-2020-11913 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.19 IMPROPER INPUT VALIDATION CWE-20

Improper input validation in ARP component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds read.

CVE-2020-11914 has been assigned to this vulnerability. A CVSS v3 base score of 3.1 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing, Information Technology, Healthcare and Public Health, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Shlomi Oberman and Moshe Kol of JSOF reported these vulnerabilities to CERT/CC.

4. MITIGATIONS

Treck recommends users apply the latest version of the affected products:

• Treck TCP/IP: Update to 6.0.1.67 or later versions

To obtain patches, email Treck at security@treck.com.

For more detailed information on the vulnerabilities and the mitigating controls, please see the Treck advisory.

Additional vendors affected by the reported vulnerabilities have also released security advisories related to their affected products. Those advisories are as follows:

• ABB
• B.Braun
• Baxter
• BD
• CareStream
• Caterpillar
• DIGI International
• Eaton
• Green Hills Software
• IDEC Corporation
• Johnson Controls
• Miele
• Opto 22
• Pepperl+Fuchs
• Rockwell
• Schneider Electric
• Smiths Medical

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• June 16, 2020: Initial Publication
• June 18, 2020: Update A - ICSA-20-168-01 Treck TCP-IP Stack (Update A)
• June 30, 2020: Update B - ICSA-20-168-01 Treck TCP/IP Stack (Update B)
• July 07, 2020: Update C - ICSA-20-168-01 Treck TCP-IP Stack (Update C)
• July 14, 2020: Update D - ICSA-20-168-01 Treck TCP/IP Stack (Update D)
• July 21, 2020: Update E - ICSA-20-168-01 Treck TCP/IP Stack (Update E)
• August 04, 2020: Update F - ICSA-20-168-01 Treck TCP-IP Stack (Update F)
• August 20, 2020: Update G - ICSA-20-168-01 Treck TCP/IP Stack (Update G)
• March 17, 2022: Update H - ICSA-20-168-01 Treck TCP/IP Stack (Update H)
• September 19, 2024: Update I - Included IDEC Corporation.

• Treck