In proprietary TCP/IP stack operated through the sending of specially designed packages. Vulnerabilities have been codenamed . Some vulnerabilities also appear in the KASAGO TCP / IP stack from Zuken Elmic (Elmic Systems), which has common roots with Treck. The Treck stack is used in many industrial, medical, communications, embedded and consumer devices (from smart lamps to printers and uninterruptible power supplies), as well as in energy, transportation, aviation, commercial and oil production equipment.
Notable attack targets using Treck's TCP/IP stack include HP network printers and Intel chips. Among other things, problems in Treck's TCP/IP stack have been the cause of recent in the Intel AMT and ISM subsystems operated by sending a network packet. The vulnerabilities have been confirmed by Intel, HP, Hewlett Packard Enterprise, Baxter, Caterpillar, Digi, Rockwell Automation, and Schneider Electric. More
, whose products use the Treck TCP/IP stack, have yet to respond to the issues. 5 manufacturers, including AMD, declared that their products were not susceptible to problems.
Problems were found in the implementation of the IPv4, IPv6, UDP, DNS, DHCP, TCP, ICMPv4 and ARP protocols, and are caused by incorrect processing of parameters with data size (using a field with size without checking the actual data size), input information validation errors, double freeing of memory, out-of-buffer reads, integer overflows, incorrect access control, and problems handling null-delimited strings.
The two most dangerous issues (CVE-2020-11896, CVE-2020-11897) , which have been assigned a CVSS level of 10, allow you to execute your code on the device by sending well-formed IPv4/UDP or IPv6 packets. The first critical problem occurs on devices that support IPv4 tunnels, and the second on devices released before 04.06.2009/6/9 with IPv2020 support. Another critical vulnerability (CVSS 11901) is present in the DNS resolver (CVE-XNUMX-XNUMX) and allows code to be executed by sending a specially crafted DNS request (the issue was used to demonstrate the Schneider Electric APC UPS hack and manifests itself on DNS-enabled devices).
Other vulnerabilities CVE-2020-11898, CVE-2020-11899, CVE-2020-11902, CVE-2020-11903, CVE-2020-11905 allow to learn the contents of the areas of system memory. Other issues can result in a denial of service or leakage of residual data from system buffers.
Most of the vulnerabilities were fixed in Treck 6.0.1.67 (CVE-2020-11897 was fixed in 5.0.1.35, CVE-2020-11900 in 6.0.1.41, CVE-2020-11903 in 6.0.1.28, CVE-2020-11908 in 4.7.1.27. 20). Because device-specific firmware updates can be slow or impossible to prepare (the Treck stack has been shipping for over 6 years, many devices are unmaintained or difficult to update), administrators are advised to isolate affected devices and configure packet inspection systems, firewalls, or routers to normalize or block fragmented packets, block IP tunnels (IPv4-in-IPv6 and IP-in-IP), block "source routing", enable inspection for incorrect options in TCP packets, block unused ICMP control messages (MTU Update and Address Mask), disable IPvXNUMX multicast and redirect DNS requests to a secure recursive DNS server.
Source: opennet.ru