Security updates available for the Treck TCP/IP stack address two critical vulnerabilities leading to remote code execution or denial-of-service. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory to warn organizations using industrial control systems (ICS) about the risks posed by these flaws.
A low-level TCP/IP software library, the Treck TCP/IP stack is specifically designed for embedded systems, featuring small critical sections and a small code footprint. CISA says the product is used worldwide in the critical manufacturing, IT, healthcare and transportation sectors.
Last week, a series of four new vulnerabilities that Intel’s security researchers discovered in the Treck TCP/IP stack were made public. Two of these were rated critical severity.
The most severe of the two is CVE-2020-25066 (CVSS score of 9.8), a heap-based buffer overflow bug in the Treck HTTP Server components that could be abused by attackers to cause denial of service or execute code remotely.
Next in line is CVE-2020-27337 (CVSS score of 9.1), an out-of-bounds write in the IPv6 component that could be exploited by an unauthenticated user to cause a DoS condition via network access.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
An out-of-bounds read in the DHCPv6 client component of Treck IPv6 could be abused by an unauthenticated user to cause denial-of-service via adjacent network access. The bug is tracked as CVE-2020-27338 (CVSS score of 5.9).
The fourth issue, CVE-2020-27336 (CVSS score 3.7), is an improper input validation in the IPv6 component that could lead to an out-of- ..
Support the originator by clicking the read the rest link below.
