Threat Alert

by IthacaLabs™

THREAT LEVEL/High 18/06/2020

High – 19 New Zero Day Vulnerabilities In Treck TCP/IP stack

Threat Level Description

Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a number of new zero day vulnerabilities, affecting hundreds of millions of devices, have been identified.

The set of 19 vulnerabilities, named “Ripple20”, resides in a low-level TCP/IP software library, developed by “Treck”. This TCP/IP software library, if weaponized, could let remote attackers gain complete control over targeted devices, without requiring any user interaction.

The affected devices are in use across various industries, ranging from home/consumer devices to medical, healthcare, data centers, enterprises, telecom, oil, gas, nuclear, transportation, and many others across critical infrastructure.

“Treck” has been designing distributing and supporting real-time embedded internet protocols for worldwide technology, such as low level, application level and web level internet protocols.

Vulnerability Overview:

1. IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY (CVE-2020-11896)
2. IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY (CVE-2020-11897)
3. IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY (CVE-2020-11898)
4. IMPROPER INPUT VALIDATION (CVE-2020-11899)
5. DOUBLE FREE (CVE-2020-11900)
6. IMPROPER INPUT VALIDATION (CVE-2020-11901)
7. IMPROPER INPUT VALIDATION (CVE-2020-11902)
8. OUT-OF-BOUNDS READ (CVE-2020-11903)
9. INTEGER OVERFLOW OR WRAPAROUND (CVE-2020-11904)
10. OUT-OF-BOUNDS READ (CVE-2020-11905)
11. IMPROPER INPUT VALIDATION (CVE-2020-11906)
12. IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY (CVE-2020-11907)
13. IMPROPER NULL TERMINATION (CVE-2020-11908)
14. IMPROPER INPUT VALIDATION (CVE-2020-11909)
15. IMPROPER INPUT VALIDATION (CVE-2020-11910)
16. IMPROPER ACCESS CONTROL (CVE-2020-11911)
17. IMPROPER INPUT VALIDATION (CVE-2020-11912)
18. IMPROPER INPUT VALIDATION (CVE-2020-11913)
19. IMPROPER INPUT VALIDATION (CVE-2020-11914)
Note that “Treck” company have patched most of the flaws with the release of TCP/IP stack version 6.0.1.67 or higher.

CVE(s)

CVE-2020-11914

BASE SCORE: 3.3 Low
VECTOR: (AV:A/AC:L/Au:N/C:P/I:N/A:N)

The Treck TCP/IP stack before 6.0.1.66 has an ARP Out-of-bounds Read.

CVE-2020-11913

BASE SCORE: 5 Medium
VECTOR: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.

CVE-2020-11912

BASE SCORE: 3.3 Low
VECTOR: (AV:A/AC:L/Au:N/C:N/I:N/A:P)

The Treck TCP/IP stack before 6.0.1.66 has a TCP Out-of-bounds Read.

CVE-2020-11911

BASE SCORE: 5 Medium
VECTOR: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Treck TCP/IP stack before 6.0.1.66 has Improper ICMPv4 Access Control.

CVE-2020-11910

BASE SCORE: 5 Medium
VECTOR: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

The Treck TCP/IP stack before 6.0.1.66 has an ICMPv4 Out-of-bounds Read.

CVE-2020-11909

BASE SCORE: 5 Medium
VECTOR: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

The Treck TCP/IP stack before 6.0.1.66 has an IPv4 Integer Underflow.

CVE-2020-11908

BASE SCORE: 3.3 Low
VECTOR: (AV:A/AC:L/Au:N/C:N/I:N/A:P)

The Treck TCP/IP stack before 4.7.1.27 mishandles '' termination in DHCP.

CVE-2020-11907

BASE SCORE: 5.8 Medium
VECTOR: (AV:A/AC:L/Au:N/C:P/I:P/A:P)

The Treck TCP/IP stack before 6.0.1.66 improperly handles a Length Parameter Inconsistency in TCP.

CVE-2020-11906

BASE SCORE: 5.8 Medium
VECTOR: (AV:A/AC:L/Au:N/C:P/I:P/A:P)

The Treck TCP/IP stack before 6.0.1.66 has an Ethernet Link Layer Integer Underflow.

CVE-2020-11905

BASE SCORE: 3.3 Low
VECTOR: (AV:A/AC:L/Au:N/C:P/I:N/A:N)

The Treck TCP/IP stack before 6.0.1.66 has a DHCPv6 Out-of-bounds Read.

CVE-2020-11904

BASE SCORE: 7.5 High
VECTOR: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

The Treck TCP/IP stack before 6.0.1.66 has an Integer Overflow during Memory Allocation that causes an Out-of-Bounds Write.

CVE-2020-11903

BASE SCORE: 3.3 Low
VECTOR: (AV:A/AC:L/Au:N/C:P/I:N/A:N)

The Treck TCP/IP stack before 6.0.1.28 has a DHCP Out-of-bounds Read.

CVE-2020-11902

BASE SCORE: 7.5 High
VECTOR: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

The Treck TCP/IP stack before 6.0.1.66 has an IPv6OverIPv4 tunneling Out-of-bounds Read.

CVE-2020-11901

BASE SCORE: 9.3 High
VECTOR: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

The Treck TCP/IP stack before 6.0.1.66 allows Remote Code execution via a single invalid DNS response.

CVE-2020-11900

BASE SCORE: 6.4 Medium
VECTOR: (AV:N/AC:L/Au:N/C:N/I:P/A:P)

The Treck TCP/IP stack before 6.0.1.41 has an IPv4 tunneling Double Free.

CVE-2020-11899

BASE SCORE: 4.8 Medium
VECTOR: (AV:A/AC:L/Au:N/C:N/I:P/A:P)

The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.

CVE-2020-11898

BASE SCORE: 6.4 Medium
VECTOR: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

The Treck TCP/IP stack before 6.0.1.66 improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which might allow remote attackers to trigger an information leak.

CVE-2020-11897

BASE SCORE: 10 High
VECTOR: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

The Treck TCP/IP stack before 5.0.1.35 has an Out-of-Bounds Write via multiple malformed IPv6 packets.

CVE-2020-11896

BASE SCORE: 9.3 High
VECTOR: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.

Affected Systems

  • The “Treck” TCP/IP stack is affected including: IPv4,IPv6,UDP,DNS,DHCP,TCP,ICMPv4,ARP
  • Recommendation(s)

    You should immediately proceed and install the relevant security patch, as soon as it is available from the vendor.

    Furthermore, since millions of devices would not receive security patch updates, to address Ripple20 vulnerabilities, soon, it is recommended to take defensive measures to minimize the risk of exploitation of this vulnerabilities.

    Some measures may include:

    • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
    • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
    • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). VPNs should be updated to the most current versions available.
    • Use an internal DNS server that performs DNS-over-HTTPS for lookups.

    You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

    References

    Get the latest Threat Alerts in your inbox.