Treck TCP/IP Stack Vulnerabilities Alert

The US Cybersecurity Infrastructure and Security Agency (CISA) warned that a low-level TCP/IP software library developed by Treck has serious vulnerabilities, allowing remote attackers to run arbitrary commands and launch denial of service (DoS) attacks. These four vulnerabilities affect Treck TCP/IP Stack 6.0.1.67 and earlier versions, and two of them are critical. Treck’s embedded TCP/IP Stack is deployed in global manufacturing, information technology, healthcare, and transportation systems.

The most serious of these is the heap-based buffer overflow vulnerability (CVE-2020-25066) in the Treck HTTP server component, which allows an attacker to reset or crash the target device, or even execute remote code. Its CVSS score is 9.8 points.

The second vulnerability is an out-of-bounds write in the IPv6 component (CVE-2020-27337, CVSS score 9.1). Unauthenticated users can use this vulnerability to cause DoS through network access.

The other two vulnerabilities involve out-of-bounds reads in IPv6 components (CVE-2020-27338, CVSS score 5.9), which may be used by unauthenticated attackers to cause DoS. An input validation error vulnerability (CVE-2020-27336, CVSS score 3.7) in the same module can lead to out-of-bounds reads.

Treck recommends that users update to version 6.0.1.68. When the latest patch cannot be applied, it is recommended to use a firewall to filter out packets with negative content-length in the HTTP header.