====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN349
_____________________________________________________________________

DATE                : 17/06/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Treck Inc TCP/IP stack.

=====================================================================
https://www.us-cert.gov/ics/advisories/icsa-20-168-01
https://treck.com/vulnerability-response-information/
_____________________________________________________________________

ICS Advisory (ICSA-20-168-01)

Treck TCP/IP Stack

Original release date: June 16, 2020

Legal Notice

All information products included in https://us-cert.gov/ics are
provided "as is" for informational purposes only. The Department of
Homeland Security (DHS) does not provide any warranties of any kind
regarding any information contained within. DHS does not endorse any
commercial product or service, referenced in this product or otherwise.
Further dissemination of this product is governed by the Traffic Light
Protocol (TLP) marking in the header. For more information
about TLP, see https://www.us-cert.gov/tlp/.


1. EXECUTIVE SUMMARY

  o CVSS v3 10.0
  o ATTENTION: Exploitable remotely
  o Vendor: Treck Inc.
  o Equipment: TCP/IP
  o Vulnerabilities: Improper Handling of Length Parameter
    Inconsistency, Improper Input Validation, Double Free, Out-of-bounds
    Read, Integer Overflow or Wraparound, Improper Null Termination,
    Improper Access Control

CISA is aware of a public report, known as "Ripple20" that details
vulnerabilities found in the Treck TCP/IP stack. CISA is issuing this
advisory to provide early notice of the reported vulnerabilities and
identify baseline mitigations for reducing risks to these and other
cybersecurity attacks.


2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow remote code
execution or exposure of sensitive information.


3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The Treck TCP/IP stack is affected including:

  o IPv4
  o IPv6
  o UDP
  o DNS
  o DHCP
  o TCP
  o ICMPv4
  o ARP


3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130

Improper handling of length parameter inconsistency in IPv4/UDP
component when handling a packet sent by an unauthorized network
attacker. This vulnerability may result in remote code execution.

CVE-2020-11896 has been assigned to this vulnerability. A CVSS v3 base
score of 10.0 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).


3.2.2    IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130

Improper handling of length parameter inconsistency in IPv6 component
when handling a packet sent by an unauthorized network attacker. This
vulnerability may result in possible out-of-bounds write.

CVE-2020-11897 has been assigned to this vulnerability. A CVSS v3 base
score of 10.0 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).


3.2.3    IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130

Improper handling of length parameter inconsistency in IPv4/ICMPv4
component when handling a packet sent by an unauthorized network
attacker. This vulnerability may result in out-of-bounds Read.

CVE-2020-11898 has been assigned to this vulnerability. A CVSS v3 base
*score of 9.1 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).


3.2.4    IMPROPER INPUT VALIDATION CWE-20

Improper input validation in IPv6 component when handling a packet sent
by an unauthorized network attacker. This vulnerability may allow out-
of-bounds Read and a possible Denial of Service.

CVE-2020-11899 has been assigned to this vulnerability. A CVSS v3 base
score of 5.4 has been calculated; the CVSS vector string is
(AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).


3.2.5    DOUBLE FREE CWE-415

Possible double free in IPv4 tunneling component when handling a packet
sent by
a network attacker. This vulnerability may result in use after free.

CVE-2020-11900 has been assigned to this vulnerability. A CVSS v3 base
score of
8.2 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.6    IMPROPER INPUT VALIDATION CWE-20

Improper input validation in DNS resolver component when handling a
packet sent by an unauthorized network attacker. This vulnerability may
result in remote code execution.

CVE-2020-11901 has been assigned to this vulnerability. A CVSS v3 base
score of 9.0 has been calculated; the CVSS vector string is
(AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).


3.2.7    IMPROPER INPUT VALIDATION CWE-20

Improper input validation in IPv6 over IPv4 tunneling component when
handling a packet sent by an unauthorized network attacker. This
vulnerability may allow out-of-bounds Read.

CVE-2020-11902 has been assigned to this vulnerability. A CVSS v3 base
score of 7.3 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).


3.2.8    OUT-OF-BOUNDS READ CWE-125

Possible out-of-bounds read in DHCP component when handling a packet
sent by an unauthorized network attacker. This vulnerability may allow
exposure of sensitive information.

CVE-2020-11903 has been assigned to this vulnerability. A CVSS v3 base
score of 5.3 has been calculated; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).


3.2.9    INTEGER OVERFLOW OR WRAPAROUND CWE-190

Possible integer overflow or wraparound in memory allocation component
when handling a packet sent by an unauthorized network attacker may
result in out-of-bounds write.

CVE-2020-11904 has been assigned to this vulnerability. A CVSS v3 base
score of 5.6 has been calculated; the CVSS vector string is
(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).


3.2.10    OUT-OF-BOUNDS READ CWE-125

Possible out-of-bounds read in DHCPv6 component when handling a packet
sent by an unauthorized network attacker. This vulnerability may allow
exposure of sensitive information.

CVE-2020-11905 has been assigned to this vulnerability. A CVSS v3 base
score of 5.3 has been calculated; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).


3.2.11    IMPROPER INPUT VALIDATION CWE-20

Improper input validation CWE-20 in ethernet link layer component from a
packet sent by an unauthorized user.

CVE-2020-11906 has been assigned to this vulnerability. A CVSS v3 base
score of 5.0 has been calculated; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).


3.2.12    IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130

Improper handling of length parameter inconsistency in TCP component,
from a packet sent by an unauthorized network attacker.

CVE-2020-11907 has been assigned to this vulnerability. A CVSS v3 base
score of 5.0 has been calculated; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).


3.2.13    IMPROPER NULL TERMINATION CWE-170

Improper null termination in DHCP component when handling a packet sent
by an unauthorized network attacker. This vulnerability may allow
exposure of sensitive information.

CVE-2020-11908 has been assigned to this vulnerability. A CVSS v3 base
score of 3.1 has been calculated; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).


3.2.14    IMPROPER INPUT VALIDATION CWE-20

Improper input validation in IPv4 component when handling a packet sent
by an unauthorized network attacker.

CVE-2020-11909 has been assigned to this vulnerability. A CVSS v3 base
score of 3.7 has been calculated; the CVSS vector string is
(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).


3.2.15    IMPROPER INPUT VALIDATION CWE-20

Improper input validation in ICMPv4 component when handling a packet
sent by an unauthorized network attacker. This vulnerability may allow
out-of-bounds Read.

CVE-2020-11910 has been assigned to this vulnerability. A CVSS v3 base
score of 3.7 has been calculated; the CVSS vector string is
(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).


3.2.16    IMPROPER ACCESS CONTROL CWE-284

The affected product is vulnerable to improper access control, which may
allow an attacker to change one specific configuration value.

CVE-2020-11911 has been assigned to this vulnerability. A CVSS v3 base
score of 3.7 has been calculated; the CVSS vector string is
(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).


3.2.17    IMPROPER INPUT VALIDATION CWE-20

Improper input validation in TCP component when handling a packet sent
by an unauthorized network attacker. This vulnerability may allow out-
of-bounds Read..

CVE-2020-11912 has been assigned to this vulnerability. A CVSS v3 base
score of 3.7 has been calculated; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).


3.2.18    IMPROPER INPUT VALIDATION CWE-20

Improper input validation in IPv6 component when handling a packet sent
by an unauthorized network attacker. This vulnerability may allow
out-of-bounds Read.

CVE-2020-11913 has been assigned to this vulnerability. A CVSS v3 base
score of 3.7 has been calculated; the CVSS vector string is
(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).


3.2.19    IMPROPER INPUT VALIDATION CWE-20

Improper input validation in ARP component when handling a packet sent
by an unauthorized network attacker. This vulnerability may allow out-
of-bounds Read.

CVE-2020-11914 has been assigned to this vulnerability. A CVSS v3 base
score of 3.1 has been calculated; the CVSS vector string is
(AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).


3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing,
    Information Technology, Healthcare and Public Health, Transportation
    Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Shlomi Oberman and Moshe Kol from JSOF reported these vulnerabilities to
CERT/CC.


4. MITIGATIONS

Treck recommends users apply the latest version of the affected products
(Treck TCP/IP 6.0.1.66 or later versions). To obtain patches, email
security@treck.com

For more detailed information on the vulnerabilities and the mitigating
controls, please see the Treck advisory. Additional vendors affected by
the reported vulnerabilities have also released security advisories
related to their affected products. Those advisories are as follows:

  o B.Braun
  o Caterpillar
  o Green Hills
  o Rockwell
  o Schneider Electric

CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:

  o Minimize network exposure for all control system devices and/or
    systems, and ensure that they are not accessible from the Internet.
  o Locate control system networks and remote devices behind firewalls,
    and isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual
    Private Networks (VPNs), recognizing that VPNs may have
    vulnerabilities and should be updated to the most current version
    available. Also recognize that VPN is only as secure as the
    connected devices.
  o Use an internal DNS server that performs DNS-over-HTTPS for lookups.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended
practices on the ICS webpage on us-cert.gov. Several recommended
practices are available for reading and download, including Improving
Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies.

Additional mitigation guidance and recommended practices are publicly
available on the ICS webpage on us-cert.gov in the Technical Information
Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and
Mitigation Strategies.

Organizations observing any suspected malicious activity should follow
their established internal procedures and report their findings to CISA
for tracking and correlation against other incidents.

High skill level is needed to exploit. No known public exploits
specifically target these vulnerabilities.


Contact Information

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:
https://www.us-cert.gov/ics
or incident reporting:  https://www.us-cert.gov/report

______________________________________________________________________


Treck is committed to delivering secure, high performing products.

Treck is committed to delivering secure, high performing products.  For
more than 20 years we have been consistently working to maintain the
quality and integrity of our products.  Our latest version of Treck’s
TCP/IPv4/v6 and associated protocols has been updated to include fixes
for a group of vulnerabilities (VU#257161 and ICS-VU-035787) that were
reported by Moshe Kol and Shlomi Oberman of the independent security
research group, JSOF.  Treck is also providing patches for each issue
that was reported.  Some of the issues are of high severity.  The
exposure to these high severity issues greatly depends on the Treck
products being used.  To determine the level of exposure Treck customers
should review the list of CVE’s below and contact security@treck.com.

To receive more information about the vulnerabilities or the Treck
release containing fixes, or for patches for all of these reported
issues, please contact security@treck.com.

CVE-2020-11896
CVE-2020-11897
CVE-2020-11898
CVE-2020-11899
CVE-2020-11900
CVE-2020-11901
CVE-2020-11902
CVE-2020-11903
CVE-2020-11904
CVE-2020-11905
CVE-2020-11906
CVE-2020-11907
CVE-2020-11908
CVE-2020-11909
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11913
CVE-2020-11914

CERT Coordination Center Advisory – https://kb.cert.org/vuls/id/257161
ICS-CERT Advisory –
https://www.us-cert.gov/ics/advisories/icsa-20-168-01



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================