A new vulnerabilities in the Treck TCP/IP stack identified by ICS-CERT, Forescout released an open-source tool for detecting whether a network device runs one of the four open-source TCP/IP stacks
CVE-2020-25066 is the most critical, as it could allow an attacker to cause a denial-of-service condition, but may also result in arbitrary code execution identifies in Treck TCP/IP stack version
“The Treck TCP/IP stack may be known by other names such as Kasago TCP/IP, ELMIC, Net+ OS, Quadnet, GHNET v2, Kwiknet, or AMX,” ICS-CERT pointed out.
The good news is that the vulnerabilities have been fixed and that there are no known public exploits specifically targeting them.
In addition to JSOF and Forescout, Armis researchers have also unearthed vulnerabilities in a TCP/IP library – namely IPnet, a TCP/IP stack used in Wind River VxWorks, a real-time operating system used by more than two billion devices across industrial, medical and enterprise environments.
The main problem for organizations is that many embedded systems, IoT and OT devices don’t come with a Software Bill of Materials, and it’s difficult to find out which OS, firmware, or TCP/IP stack each device/system uses.
Forescout has created the project-memoria-detector tool – an open-source script that identifies the use of four TCP/IP stacks on a target device via three active fingerprinting methods.
For the moment, the script’s results are not absolute, i.e., it indicates the use of one of those four stacks with a certain level of confidence (high, medium, low).
“The level of confidence is a reminder that the script can still result in false positive and false negative matches,” the researchers explained.
They intend to update the script with detections for other stacks in the future as they disclose additional vulnerabilities, and urge the community to help the tool get better at detecting currently vulnerable TCP/IP stacks or other stacks.