Ripple20 Vulnerabilities Affecting Treck IP Stacks
Treck TCP/IP Stack
All information products included in https://us-cert.gov/ics are
provided "as is" for informational purposes only. The Department
of Homeland Security (DHS) does not provide any warranties of any kind
regarding any information contained within. DHS does not endorse any commercial
product or service, referenced in this product or otherwise. Further
dissemination of this product is governed by the Traffic Light Protocol (TLP)
marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/.
1. EXECUTIVE SUMMARY
CVSS v3 10.0
ATTENTION: Exploitable remotely
Vendor: Treck Inc.
Vulnerabilities: Improper Handling
of Length Parameter Inconsistency, Improper Input Validation, Double Free,
Out-of-bounds Read, Integer Overflow or Wraparound, Improper Null
Termination, Improper Access Control
CISA is aware of a public report, known as “Ripple20” that
details vulnerabilities found in the Treck TCP/IP stack. CISA is issuing this
advisory to provide early notice of the reported vulnerabilities and identify
baseline mitigations for reducing risks to these and other cybersecurity
2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory
titled ICSA-20-168-01 Treck TCP/IP Stack that was published June 16, 2020, to
the ICS webpage on us-cert.gov.
3. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow
remote code execution or exposure of sensitive information.