Affected organizations – potentially a huge number – urged to update the networking protocol library

Vulnerabilities in Treck TCP/IP stack point attackers arrow towards DoS, remote code execution exploits

UPDATED A raft of pre-authenticated vulnerabilities in the aged but widely used Treck TCP/IP stack can lead to both denial-of-service (DoS) and remote code execution (RCE) on target systems.

Users of the networking protocol library, used for embedded IoT, OT, and IT devices since it was developed in the late 1990s, have been urged to upgrade their systems.

The technology stack appears to still be widely used given that Israeli cybersecurity firm JSOF said that 19 zero-day vulnerabilities that it disclosed in the library six months ago could affect “hundreds of millions of devices”.

Vendors potentially affected by the ‘Ripple20’ flaws included Fortune 500 companies HP, Schneider Electric, and Rockwell Automation, along with organizations operating in the medical, transportation, industrial controls, energy, telecoms, and retail sectors, added JSOF.

A “high skill level is needed to exploit” the latest batch of flaws, and “no known public exploits specifically target these vulnerabilities”, according a security advisory (currently inaccessible) issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

Buffer overflow

Earning a CVSS score of 9.8, a heap-based buffer overflow (CVE-2020-25066) in the Treck HTTP server was the most serious of two critical bugs among a quartet of vulnerabilities reported to Treck by Intel Corporation.

A remote attacker who successfully exploited the flaw could both crash the target system and execute arbitrary commands.


RECOMMENDED Nintendo 3DS digital certificate vulnerability earns researcher $12,000 bug bounty


The other critical vulnerability, an out-of-bounds write bug (CVE-2020-27337) in the IPv6 component, could allow malicious actors to gain network access and cause DoS.

The other flaws include a medium severity out-of-bound read in the DHCPv6 client component (CVE-2020-27338), and a low-risk improper input validation vulnerability in IPv6 (CVE-2020-27336).

Remediation and mitigation

The bugs, which were publicly disclosed on December 18, affect versions 6.0.1.67 and earlier of Treck TCP/IP stack.

All vulnerabilities have been remediated in the latest version, 6.0.1.68, as per Treck’s security advisory.


Read more of the latest hacking news


CISA’s advisory offers mitigations in lieu of a system update, including implementing firewall rules and isolating control system networks and devices from the internet and corporate network.

The disclosure follows the emergence earlier this month of 33 vulnerabilities in four open source TCP/IP protocols – dubbed AMNESIA:33 by Forescout researchers – that left more than a million embedded devices vulnerable to takeover.


This article was updated on January 8 to remove reference to a tool that we incorrectly stated was developed by Treck to help security teams ascertain whether organizations were running vulnerable builds. This tool was in fact neither developed by, nor related to, Treck.


YOU MIGHT ALSO LIKE SAP HANA authentication flaw allowed attacker to pose as different user