Full Report
Vulnerabilities have been identified in the IPv6 component in the Treck TCP/IP stack implementation. It is recommended that vendors of IoT devices using that implementation issue security advisories.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Treck IPv6 Stack
## CVE Details
- **CVE ID:** CVE-2020-25066, CVE-2020-27339, CVE-2020-27338, CVE-2020-27337
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** CWE-121 (Stack-based Buffer Overflow), CWE-122 (Heap-based Buffer Overflow), CWE-190 (Integer Overflow), CWE-125 (Out-of-bounds Read)
## Affected Systems
- **Products:** IoT and embedded devices utilizing the Treck TCP/IP stack.
- **Versions:** All versions of the Treck TCP/IP stack prior to v6.0.1.67.
- **Configurations:** Devices with the IPv6 component enabled and exposed to network traffic.
## Vulnerability Description
The vulnerabilities exist within the Treck IPv6 stack implementation. The most severe flaws (CVE-2020-25066 and CVE-2020-27337) involve improper validation of input length when handling IPv6 packets.
- **CVE-2020-25066:** A heap-based buffer overflow in the Treck HTTP Server component when handling specific parameters, potentially leading to Remote Code Execution (RCE).
- **CVE-2020-27337:** An out-of-bounds write vulnerability in the IPv6 stack that allows an unauthenticated user to cause a Denial of Service (DoS) or potentially achieve RCE via a specially crafted IPv6 packet.
## Exploitation
- **Status:** Vulnerabilities verified by researchers; no widespread exploitation in the wild reported at the time of disclosure.
- **Complexity:** Medium (Requires knowledge of the proprietary stack’s memory management).
- **Attack Vector:** Network (Unauthenticated remote attackers can trigger these via the network).
## Impact
- **Confidentiality:** High (Potential for memory leakage or full system compromise).
- **Integrity:** High (Potential for unauthorized modification of system state/code execution).
- **Availability:** High (Immediate system crash or infinite loop leading to DoS).
## Remediation
### Patches
- **Treck Update:** All users should update the Treck TCP/IP stack to version **6.0.1.67** or later.
- **Vendor Responsibility:** Users of IoT devices must contact their respective hardware vendors (e.g., Schneider Electric, Caterpillar, etc.) for firmware updates incorporating the patched Treck stack.
### Workarounds
- **Disable IPv6:** If IPv6 functionality is not required, disabling the IPv6 stack on the device will mitigate the primary attack surface.
- **Network Filtering:** Implement firewall rules to block unsolicited IPv6 traffic and inspect for malformed IPv6 packets at the network perimeter.
- **Micro-segmentation:** Isolate legacy IoT devices that cannot be patched into restricted VLANs.
## Detection
- **Indicators of Compromise:** Unusual device reboots, unresponsive network services, or crashes in the IPv6 handling process.
- **Detection Methods and Tools:**
- Use Deep Packet Inspection (DPI) to identify malformed IPv6 extension headers.
- Monitor for heap/stack corruption signatures in embedded device logs where available.
- Security scanners (like Tenable or Qualys) have released plugins to identify vulnerable Treck stack signatures based on TCP/IP fingerprinting.
## References
- **Kaspersky ICS CERT Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2021/02/05/getting-back-on-treck-more-vulnerabilities-in-the-infamous-tcp-ip-stack/
- **CERT/CC Vulnerability Note:** hxxps[://]www[.]kb[.]cert[.]org/vuls/id/114558
- **Treck Security:** hxxp[://]treck[.]com/security/