The US Cybersecurity Infrastructure and Security Agency (CISA) has warned of critical weaknesses in a low-level TCP / IP software library developed by Treck that, if armed, could allow remote attackers to run arbitrary and mounting commands service (DoS) attacks.
All four defects affect version 184.108.40.206 TCP / IP Treck stack and earlier and were reported to the company by Intel. Two of these are rated as essential in terms of severity.
Treck’s embedded TCP / IP stack is used worldwide in manufacturing, information technology, healthcare, and transportation systems.
The most serious of them is the vulnerability of a heap-based buffer overflow (CVE-2020-25066) in the HTTP Treck Server component that could allow an adversary to break down or reset the target device and even execute remote code. It has a CVSS score of 9.8 out of a maximum of 10.
The second flaw is writing out of bounds in the IPv6 component (CVE-2020-27337, CVSS Score 9.1) that an unencrypted user could exploit to cause DoS condition through network access.
Two other weaknesses relate to out-of-bounds reading in the IPv6 component (CVE-2020-27338, CVSS Score 5.9) which could be triggered by an uninvited attacker to cause DoS and improper input validation in the same module (CVE-2020-27336, CVSS Score 3.7) which could result in up to three out-of-bounds being read through network access.
Treck recommends users update the stack to version 220.127.116.11 to address the flaws. In cases where the latest patches cannot be applied, it is advisable that firewall rules be implemented to filter packets that contain negative content lengths in the HTTP header.
The discovery of new flaws in the Treck TCP / IP stack comes six months after Israeli cyber security firm JSOF uncovered 19 vulnerabilities in the software library – dubbed Ripple20 – that could make it possible for attackers to gain complete control over IoT devices targeting without the need for any user interaction. .
What’s more, earlier this month, Forescout researchers uncovered 33 vulnerabilities – collectively called AMNESIA: 33 – affecting TCP / IP open source protocol stacks that a bad actor might abuse to take over a fragile system.
Given the complex IoT supply chain involved, the company has released a new detection tool called “project-memoria-detector” to identify whether a target network device is running a fragile TCP / IP stack in a laboratory setting.
You can access the tool through GitHub here.