On June 16, 2020 Researchers at JSOF in Israel published a summary of their research into the Treck TCP/IP software library. The Treck product is used in millions of devices containing network interfaces.
JSOF, a cybersecurity consulting organization, began their research into the Treck software in September 2019. The JSOF team quickly found the Treck library was present in vast numbers of products produced by a still-expanding list of manufacturers. JSOF disclosed to Treck which published a patch in late March.
The researchers found 19 vulnerabilities, two of which are rated critical. JSOF named the group of vulnerabilities “Ripple20.” A remote code execution vulnerability (CVE-2020-11896, CVSSv3 score 10) can be exploited by sending malformed packets to a device operating in a specific configuration. An Out-of-Bounds Write condition (CVE-2020-11897, CVSSv3 score 10) is exploited by sending malformed IPv6 packets. An information leak vulnerability (CVE-2020-11898, CVSSv3 score 9.8) can be exploited by manipulating an IPv4 length parameter.
Because the Treck software library is implemented in a variety of ways, patches and updates need to be installed from the manufacturers which implemented the library rather than from Treck directly. Manufacturers including Cisco and HP, and HPE have published patches and updates.
We strongly advise customers to review the Patch & Update sites for the products in their environment and upgrade appropriately. PDS Architects are available to assist with the upgrades, your Account Director can assist in arranging for this upgrade support.