Bugs in Treck TCP/IP Stack Put Hundreds of Millions of IoT and Embedded Devices At Risk

Bugs in Treck TCP/IP Stack Put Hundreds of Millions of IoT and Embedded Devices At Risk

Nineteen vulnerabilities in a piece of software called “Treck TCP/IP Stack” have recently been discovered. This piece of software is present in hundreds of millions of IoT and embedded devices, putting these devices and connected devices at risk.

The 19 vulnerabilities in Treck TCP/IP stack is collective called “Ripple20”, giving emphasis on the word “ripple”, as the ripple effect of these vulnerabilities has grown exponentially due to the supply chain factor. Out of the 19 vulnerabilities discovered, 2 were disclosed anonymously and 17 were disclosed by Israel-based cybersecurity firm JSOF.

“A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people,” JSOF said in the report "19 Zero-Day Vulnerabilities Amplified by the Supply Chain". “Ripple20 reached critical IoT devices from a wide range of fields, involving a diverse group of vendors.”

Tracing the Supply Chain

TCP/IP stack was developed 20 years ago by the firm called “Treck”. This piece of software serves as a basic networking element or a building block, useful in any context for any IoT or embedded device that works over a network.

According to JSOF, over the past two decades, Treck TCP/IP has been spreading around the world, through both direct and indirect use. JSOF reported that in the 1990s, Treck collaborated with a Japanese company named Elmic Systems. The two later went their separate ways, resulting in two separate branches of the TCP/IP stack devices, one managed by Treck and the other one managed by Elmic Systems. Other than ELMIC, the Treck TCP/IP stack is also known by other names such as Net+ OS, Quadnet, GHNET v2, and Kwiknet.

Printers, routers, infusion pumps in the medical sector, and industrial controls are some of the devices affected by these vulnerabilities. Affected device vendors as a result of the 19 vulnerabilities discovered in Treck TCP/IP include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter. JSOF estimates that the discovered 19 vulnerabilities affect hundreds of millions or more devices.

Security Vulnerabilities in Treck TCP/IP

Out of the 19 security vulnerabilities discovered on Treck TCP/IP, 4 are rated critical remote code execution vulnerabilities with CVSS ≥ 9; 4 are major with a CVSS ≥ 7; and 11 more have various lower severity. CVSS, short for Common Vulnerability Scoring System, is the industry standard for assessing the severity of computer system security vulnerabilities, most critical of which is rated 10.

Security vulnerabilities designated as CVE-2020-11896, CVE-2020-11898, and CVE-2020-11901 are some of the notable out of the 19 vulnerabilities.

CVE-2020-11896 is a critical vulnerability in Treck TCP/IP stack. This vulnerability allows for remote code execution by any attacker that can send UDP packets to an open port on the target device. Remote code execution allows attackers from any geographical location to run programs on the target device.

CVE-2020-11898 is a security vulnerability in Treck TCP/IP stack that improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which allows remote attackers to trigger an information leak. JSOF researchers tested the CVE-2020-11896 and CVE-2020-11898 vulnerabilities on Digi Connect ME 9210 – a device that’s embeddable and is used in medical devices. Digi Connect can be purchased from any of the large electronic-parts resellers, amplifying these vulnerabilities as any device embedded also becomes vulnerable.

Among the 19 security vulnerabilities in Treck TCP/IP stack, the most severe is CVE-2020-11901, receiving a CVSS score of 9.1. This vulnerability is a collection of vulnerabilities for several critical client-side vulnerabilities in the DNS resolver of the Treck TCP/IP stack.

If successfully exploited, this vulnerability allows pre-authentication arbitrary remote code execution. This vulnerability is of particular interest because a sophisticated attacker, such as a nation state “can potentially reply to a DNS request from outside of the corporate network, thus breaking network segmentation,” researchers at JSOF said.

JSOF researchers tested the CVE-2020-11901 vulnerability on a Schneider Electric UPS device model APC Smart-UPS 750 (SMT750I/ID18/230V). UPS, short for Uninterruptible Power Supply, is a device designed for use in enterprise networks, data centers, and mission-critical systems. It’s used as an embedded battery to ensure that devices connected to it won’t suffer from power outages or fluctuations. Remotely exploiting UPS device can, therefore, have disastrous consequences. 

Preventive and Mitigating Measures

Here some cybersecurity measures in preventing or mitigating the effects of the 19 vulnerabilities discovered in Treck TCP/IP stack:

Keep all Firmware and Software Up to Date

Some vendors of the products affected by the 19 vulnerabilities discovered in Treck TCP/IP stack, such as Aruba Networks, Digi International, HP, Intel, Teradici, Xerox have issued a corresponding patch or security update fixing the said vulnerabilities.

Retire Devices that No Longer Receive Security Updates

“The Treck stack has been around for more than 20 years,” JSOF researchers said. “Possibly the vulnerabilities too.”

Due to the length of time, some of the IoT and embedded devices affected by the vulnerabilities discovered in Treck TCP/IP stack may no longer receive security updates. Continuous use of vulnerable devices puts your organization’s network at risk of cyberattacks.

Devices which no longer receive security updates, and which have served their purpose for years should no longer be used. Luckily, some of these devices are inexpensive, as such, it’s much cheaper to replace them with the latest versions as opposed to using outdated devices which only put your organization’s network at risk.