Affected organizations – potentially a huge number – urged to update the networking protocol library
UPDATED A raft of pre-authenticated vulnerabilities in the aged but widely used Treck TCP/IP stack can lead to both denial-of-service (DoS) and remote code execution (RCE) on target systems.
Users of the networking protocol library, used for embedded IoT, OT, and IT devices since it was developed in the late 1990s, have been urged to upgrade their systems.
The technology stack appears to still be widely used given that Israeli cybersecurity firm JSOF said that 19 zero-day vulnerabilities that it disclosed in the library six months ago could affect “hundreds of millions of devices”.
Vendors potentially affected by the ‘Ripple20’ flaws included Fortune 500 companies HP, Schneider Electric, and Rockwell Automation, along with organizations operating in the medical, transportation, industrial controls, energy, telecoms, and retail sectors, added JSOF.
A “high skill level is needed to exploit” the latest batch of flaws, and “no known public exploits specifically target these vulnerabilities”, according a security advisory (currently inaccessible) issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Earning a CVSS score of 9.8, a heap-based buffer overflow (CVE-2020-25066) in the Treck HTTP server was the most serious of two critical bugs among a quartet of vulnerabilities reported to Treck by Intel Corporation.
A remote attacker who successfully exploited the flaw could both crash the target system and execute arbitrary commands.
The other critical vulnerability, an out-of-bounds write bug (CVE-2020-27337) in the IPv6 component, could allow malicious actors to gain network access and cause DoS.
Remediation and mitigation
The bugs, which were publicly disclosed on December 18, affect versions 220.127.116.11 and earlier of Treck TCP/IP stack.
All vulnerabilities have been remediated in the latest version, 18.104.22.168, as per Treck’s security advisory.
CISA’s advisory offers mitigations in lieu of a system update, including implementing firewall rules and isolating control system networks and devices from the internet and corporate network.
The disclosure follows the emergence earlier this month of 33 vulnerabilities in four open source TCP/IP protocols – dubbed AMNESIA:33 by Forescout researchers – that left more than a million embedded devices vulnerable to takeover.
This article was updated on January 8 to remove reference to a tool that we incorrectly stated was developed by Treck to help security teams ascertain whether organizations were running vulnerable builds. This tool was in fact neither developed by, nor related to, Treck.
YOU MIGHT ALSO LIKE SAP HANA authentication flaw allowed attacker to pose as different user