CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Treck TCP/IP Stack Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2020-083

DATE(S) ISSUED:

06/18/2020

OVERVIEW:

Multiple vulnerabilities (known as Ripple20) have been discovered in Treck TCP/IP Stack, the most severe of which could result in remote code execution. Treck TCP/IP Stack are networking protocol libraries that are specifically designed for embedded systems. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code in the context of the application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Treck TCP/IP Stack versions prior to 6.0.1.66
  • Per Jsof-Tech, Ripple20 reached critical IoT devices from a wide range of fields, involving a diverse group of vendors. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries. Any application or system using this affected libraries is affected until patched.

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: N/A
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities (known as Ripple20) have been discovered in Treck TCP/IP Stack, the most severe of which could result in remote code execution. Details of these vulnerabilities are as follows:

  • Improper handling of length parameter inconsistency in IPv4/UDP component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution. (CVE-2020-11896)
  • Improper handling of length parameter inconsistency in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in possible out-of-bounds write. (CVE-2020-11897)
  • Improper handling of length parameter inconsistency in IPv4/ICMPv4 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in out-of-bounds Read. (CVE-2020-11898)
  • Improper input validation in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds Read and a possible Denial of Service. (CVE-2020-11899)
  • Possible double free in IPv4 tunneling component when handling a packet sent by a network attacker. This vulnerability may result in use after free. (CVE-2020-11900)
  • Improper input validation in DNS resolver component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution. (CVE-2020-11901)
  • Improper input validation in IPv6 over IPv4 tunneling component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds Read. (CVE-2020-11902)
  • Possible out-of-bounds read in DHCP component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information. (CVE-2020-11903)
  • Possible integer overflow or wraparound in memory allocation component when handling a packet sent by an unauthorized network attacker may result in out-of-bounds write. (CVE-2020-11904)
  • Possible out-of-bounds read in DHCPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information. (CVE-2020-11905)
  • Improper input validation CWE-20 in ethernet link layer component from a packet sent by an unauthorized user. (CVE-2020-11906)
  • Improper handling of length parameter inconsistency in TCP component, from a packet sent by an unauthorized network attacker. (CVE-2020-11907)
  • Improper null termination in DHCP component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information. (CVE-2020-11908)
  • Improper input validation in IPv4 component when handling a packet sent by an unauthorized network attacker. (CVE-2020-11909)
  • Improper input validation in ICMPv4 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds Read. (CVE-2020-11910)
  • The affected product is vulnerable to improper access control, which may allow an attacker to change one specific configuration value. (CVE-2020-11911)
  • Improper input validation in TCP component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds Read. (CVE-2020-11912)
  • Improper input validation in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds Read. (CVE-2020-11913)
  • Improper input validation in ARP component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow out-of-bounds Read. (CVE-2020-11914)

Ripple20 poses a significant risk from the devices still in use. Potential risk scenarios include:

  • An attacker from outside the network taking control over a device within the network, if internet facing.
  • An attacker who has already managed to infiltrate a network can use the library vulnerabilities to target specific devices within it.
  • An attacker who has already managed to infiltrate a network could broadcast an attack capable of taking over all impacted devices in the network simultaneously.
  • An attacker may utilize affected device as a way to remain hidden within the network for years
  • A sophisticated attacker can potentially perform an attack on a device within the network, from outside the network boundaries, thus bypassing NAT configurations. This can be done by performing a MITM attack or a dns cache poisoning.
  • In some scenarios, an attacker may be able to perform attacks from outside the network by replying to packets that leave network boundaries, bypassing NAT

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code in the context of the application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • All organizations must perform a comprehensive risk assessment before deploying defensive measures.
  • First deploy defensive measures in a passive “alert” mode.
  • Mitigation for operators and networks:

(based on CERT/CC and CISA ICS-CERT advisories)

  • The first and best mitigation is updating to patched versions of all devices.
  • If devices cannot be updated, the following steps are recommended:
  • Minimize network exposure for embedded and critical devices, keeping exposure to the minimum necessary, and ensuring that devices are not accessible from the Internet unless absolutely essential.
  • Segregate OT networks and devices behind firewalls and isolate them from the business network.
  • Enable only secure remote access methods.
  • Block anomalous IP traffic.
  • Block network attacks via deep packet inspection, to reduce risk to your Treck embedded TCP/IP-enabled devices.

  • Pre-emptive traffic filtering is an effective technique that can be applied as appropriate to your network environment. Filtering options include:

  • Normalize or block IP fragments, if not supported in your environment.
  • Disable or block IP tunneling (IPv6-in-IPv4 or IP-in-IP tunneling), if not required.
  • Block IP source routing, and any IPv6 deprecated features, like routing headers VU#267289
  • Enforced TCP inspection, rejecting malformed TCP packets.
  • Block unused ICMP control messages, such as MTU update and Address Mask updates.
  • Normalize DNS through a secure recursive server or DNS inspection firewall. (Verify that your recursive DNS server normalizes requests.)
  • Provide DHCP/DHCPv6 security, with features such as DHCP snooping.
  • Disable/Block IPv6 multicast capabilities if not used in the switching infrastructure.
  • Disable DHCP where static IPs can be used.
  • Employ network IDS and IPS signatures.
  • Employ network segmentation, if available.

REFERENCES:

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0

Pencil White paper 22 Sep 2020
CONTROL: 4 --- ADVISORY CONTROL: 0