Ripple20, a series of vulnerabilities in Treck's TCP / IP stack affecting various devices

Darkcrizt

4 minutes

Recently the news broke that about 19 vulnerabilities were found in Treck's proprietary TCP / IP stack, which can be exploited by sending specially designed packages.

The vulnerabilities found, were assigned to the code name Ripple20 and some of these vulnerabilities also appear in Zuken Elmic's (Elmic Systems) KASAGO TCP / IP stack, which shares common roots with Treck.

The worrying thing about this series of vulnerabilities found is that the TCP / IP Treck stack is used by many devices industrial, medical, communication, embedded and consumer, from smart lamps to printers and uninterruptible power supplies), as well as in energy, transportation, aviation, trade and oil production equipment.

About vulnerabilities

Notable targets for attacks using the TCP / IP Treck stack they include HP network printers and Intel chips.

The inclusion of problems on the TCP / IP Treck stack turned out to be the reason for the remote vulnerabilities Recent in the Intel AMT and ISM subsystems exploited by sending a network packet.

Intel, HP, Hewlett Packard Enterprise, Baxter, Caterpillar, Digi, Rockwell Automation and Schneider Electric confirmed the vulnerabilities. In addition to 66 other manufacturers, whose products use the Treck TCP / IP stack, have not yet responded to the issues, 5 manufacturers, including AMD, announced that their products were not subject to issues.

Problems were found in the implementation of the IPv4, IPv6, UDP, DNS, DHCP, TCP, ICMPv4 and ARP protocols, and were caused by incorrect processing of the parameters with the data size (using a field with a size without checking the actual size of the data), errors when checking the input information, double memory free, read from an out-of-buffer area, integer overflows, incorrect access control, and problems processing strings with a zero separator.

The impact of these vulnerabilities will vary due to the combination of compilation and runtime options used when developing different embedded systems. This diversity of implementations and the lack of visibility into the supply chain has exacerbated the problem of accurately assessing the impact of these vulnerabilities. 

In short, an unauthenticated remote attacker can use specially crafted network packets to cause a denial of service, reveal information, or execute arbitrary code.

The Two Most Dangerous Issues (CVE-2020-11896, CVE-2020-11897), which are assigned CVSS level 10, allow an attacker to be able to execute his code on the device by sending IPv4 / UDP or IPv6 packets in a certain way.

The first critical issue appears on devices with support for IPv4 tunnels, and the second on IPv6-enabled versions released before June 4, 2009. Another critical vulnerability (CVSS 9) is present in the DNS resolver (CVE-2020-11901 ) and allows the code to run by submitting a specially crafted DNS request (the issue was used to demonstrate the Schneider Electric UPS APC hack and appears on devices with DNS support).

While other vulnerabilities CVE-2020-11898, CVE-2020-11899, CVE-2020-11902, CVE-2020-11903, CVE-2020-11905 le allow to know the content by sending packages specially designed IPv4 / ICMPv4, IPv6OverIPv4, DHCP, DHCPv6 or IPv6 memory areas of the system. Other issues can lead to denial of service or leakage of residual data from system buffers.

Most of the vulnerabilities were fixed on Treck 6.0.1.67 release (CVE-2020-11897 issue fixed at 5.0.1.35, CVE-2020-11900 at 6.0.1.41, CVE-2020-11903 at 6.0.1.28, CVE-2020-11908 at 4.7 . 1.27).

Since preparing firmware updates for specific devices can be time consuming or impossible as the Treck stack has been supplied for over 20 years, many devices have been left unattended or troublesome to update.

Administrators are advised to isolate problematic devices and configure normalization or blocking in packet inspection systems, firewalls or routers fragmented packets, block IP tunnels (IPv6-in-IPv4 and IP-in-IP), block the « source routing », enable inspection of wrong options in TCP packets, block unused ICMP control messages (MTU Update and Address Mask).


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   manolin said
    ago 4 years

    I was just mining riple and my PC screwed up, or so they told me, I can fix it personally or I will have to take it to laptop repair

    Reply to manolin