Treck IP stack implementations for embedded systems are affected by multiple vulnerabilities. This set of vulnerabilities was researched and reported by JSOF, who calls them Ripple20.
Treck IP network stack software is designed for and used in a variety of embedded systems. The software can be licensed and integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked library. Treck IP software contains multiple vulnerabilities, most of which are caused by memory management bugs. For more details on the vulnerabilities introduced by these bugs, see Treck's Vulnerability Response Information and JSOF's Ripple20 advisory.
Historically-related KASAGO TCP/IP middleware from Zuken Elmic (formerly Elmic Systems) is also affected by some of these vulnerabilities.
These vulnerabilities likely affect industrial control systems and medical devices. Please see ICS-CERT Advisory ICSA-20-168-01 for more information.
The impact of these vulnerabilities will vary due to the combination of build and runtime options used while developing different embedded systems. This diversity of implementations and the lack of supply chain visibility has exasperated the problem of accurately assessing the impact of these vulnerabilities. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause a denial of service, disclose information, or execute arbitrary code.
Update to the latest stable version of Treck IP stack software (220.127.116.11 or later). Please contact Treck at email@example.com. Downstream users of embedded systems that incorporate Treck IP stacks should contact their embbeded system vendor.
Block anomalous IP traffic
Consider blocking network attacks via deep packet inspection. In some cases, modern switches, routers, and firewalls will drop malformed packets with no additional configuration. It is recommended that such security features are not disabled. Below is a list of possible mitigations that can be applied as appropriate to your network environment.
- Normalize or reject IP fragmented packets (IP Fragments) if not supported in your environment
- Disable or block IP tunneling, both IPv6-in-IPv4 or IP-in-IP tunneling if not required
- Block IP source routing and any IPv6 deprecated features like routing headers (see also VU#267289)
- Enforce TCP inspection and reject malformed TCP packets
- Block unused ICMP control messages such MTU Update and Address Mask updates
- Normalize DNS through a secure recursive server or application layer firewall
- Ensure that you are using reliable OSI layer 2 equipment (Ethernet)
- Provide DHCP/DHCPv6 security with feature like DHCP snooping
- Disable or block IPv6 multicast if not used in switching infrastructure
Further recommendations are available here.
Detect anomalous IP traffic
Suricata IDS has built-in decoder-event rules that can be customized to detect attempts to exploit these vulnerabilities. See the rule below for an example. A larger set of selected vu-257161.rules are available from the CERT/CC Github repository.
#IP-in-IP tunnel with fragments
alert ip any any -> any any (msg:"VU#257161:CVE-2020-11896, CVE-2020-11900 Fragments inside IP-in-IP tunnel https://kb.cert.org/vuls/id/257161"; ip_proto:4; fragbits:M; sid:1367257161; rev:1;)
Moshe Kol and Shlomi Oberman of JSOF https://jsof-tech.com researched and reported these vulnerabilities. Treck worked closely with us and other stakeholders to coordinate the disclosure of these vulnerabilities.
This document was written by Vijay Sarvepalli.
Aruba Networks Affected
Baxter US Affected
B. Braun Affected
Digi International Affected
Green Hills Software Affected
Hewlett Packard Enterprise Affected
HP Inc. Affected
Rockwell Automation Affected
Schneider Electric Affected
Zuken Elmic Affected
Afero Not Affected
Apple Not Affected
BlackBerry Not Affected
Check Point Not Affected
IBM Corporation Not Affected
LANCOM Systems GmbH Not Affected
Medtronic Not Affected
NVIDIA Not Affected
Philips Electronics Not Affected
Sierra Wireless Not Affected
Synology Not Affected
Systech Not Affected
Technicolor Not Affected
Texas Instruments Not Affected
Wind River Not Affected
Zyxel Not Affected
BAE Systems Unknown
Blunk Microsystems Unknown
Brother USA Unknown
Contiki OS Unknown
Dell EMC Unknown
Dell SecureWorks Unknown
Diebold Election Systems Unknown
Elmic Systems Unknown
Extreme Networks Unknown
HMS Networks AB Unknown
IBM Corporation (zseries) Unknown
LITE-ON Technology Corporation Unknown
Lynx Software Technologies Unknown
Monroe Electronics Unknown
Motorola Inc. Unknown
NEC Corporation Unknown
Polycom Inc. Unknown
QNX Software Systems Inc. Unknown
Ricoh Company Ltd. Unknown
Sharp Electronics Corporation Unknown
SimCom Wireless Unknown
Toshiba Corporation Unknown
Zephyr Project Unknown
|CVE IDs:||CVE-2020-11896 CVE-2020-11897 CVE-2020-11898 CVE-2020-11899 CVE-2020-11900 CVE-2020-11901 CVE-2020-11902 CVE-2020-11903 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11908 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914|
|Date First Published:||2020-06-16|
|Date Last Updated:||2020-07-03 16:46 UTC|