Home>Blog>The Hacker News Headlines>New Critical Flaws in Treck TCP/IP Stack Affect Millions of IoT Devices
The Hacker News Headlines

New Critical Flaws in Treck TCP/IP Stack Affect Millions of IoT Devices

The US Cybersecurity Infrastructure and Security Agency (CISA)
has warned[1]
of critical vulnerabilities in a low-level TCP/IP software library
developed by Treck that, if weaponized, could allow remote
attackers to run arbitrary commands and mount denial-of-service
(DoS) attacks.

The four flaws affect Treck TCP/IP stack version 6.0.1.67 and
earlier and were reported to the company by Intel. Two of these are
rated critical in severity.

Treck’s embedded TCP/IP stack is deployed worldwide in
manufacturing, information technology, healthcare, and
transportation systems.

The most severe of them is a heap-based buffer overflow
vulnerability (CVE-2020-25066) in the Treck HTTP Server
component that could permit an adversary to crash or reset the
target device and even execute remote code. It has a CVSS score of
9.8 out of a maximum of 10.

The second flaw is an out-of-bounds write in the IPv6 component
(CVE-2020-27337, CVSS score 9.1) that could be exploited by
an unauthenticated user to cause a DoS condition via network
access.

Two other vulnerabilities concern an out-of-bounds read in the
IPv6 component (CVE-2020-27338, CVSS score 5.9) that could
be leveraged by an unauthenticated attacker to cause DoS and an
improper input validation in the same module
(CVE-2020-27336, CVSS score 3.7) that could result in an
out-of-bounds read of up to three bytes via network access.

Treck recommends[2]
users to update the stack to version 6.0.1.68 to address the flaws.
In cases where the latest patches cannot be applied, it’s advised
that firewall rules are implemented to filter out packets that
contain a negative content-length in the HTTP header.

The disclosure of new flaws in Treck TCP/IP stack comes six
months after Israeli cybersecurity company JSOF uncovered 19
vulnerabilities in the software library — dubbed Ripple20[3]
— that could make it possible for attackers to gain complete
control over targeted IoT devices without requiring any user
interaction.

What’s more, earlier this month, Forescout researchers revealed
33 vulnerabilities — collectively called AMNESIA:33[4]
— impacting open-source TCP/IP protocol stacks that could be abused
by a bad actor to take over a vulnerable system.

Given the complex IoT supply chain involved, the company has
released a new detection tool called “project-memoria-detector” to
identify whether a target network device runs a vulnerable TCP/IP
stack in a lab setting.

You can access the tool via GitHub here[5].

References

  1. ^
    warned
    (us-cert.cisa.gov)
  2. ^
    recommends
    (treck.com)
  3. ^
    Ripple20
    (thehackernews.com)
  4. ^
    AMNESIA:33
    (thehackernews.com)
  5. ^
    here
    (github.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.