Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Title Treck IP stacks contain multiple vulnerabilities
Name VU#257161 First vendor Publication 2020-06-16
Vendor VU-CERT Last vendor Modification 2020-10-08
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Overall CVSS Score 10
Base Score 10 Environmental Score 10
impact SubScore 6 Temporal Score 10
Exploitabality Sub Score 3.9
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Changed Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores



Treck IP stack implementations for embedded systems are affected by multiple vulnerabilities. This set of vulnerabilities was researched and reported by JSOF, who calls them Ripple20.


Treck IP network stack software is designed for and used in a variety of embedded systems. The software can be licensed and integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked library. Treck IP software contains multiple vulnerabilities, most of which are caused by memory management bugs. For more details on the vulnerabilities introduced by these bugs, see Treck's Vulnerability Response Information and JSOF's Ripple20 advisory.

Historically-related KASAGO TCP/IP middleware from Zuken Elmic (formerly Elmic Systems) is also affected by some of these vulnerabilities.

These vulnerabilities likely affect industrial control systems and medical devices. Please see ICS-CERT Advisory ICSA-20-168-01 for more information.


The impact of these vulnerabilities will vary due to the combination of build and runtime options used while developing different embedded systems. This diversity of implementations and the lack of supply chain visibility has exasperated the problem of accurately assessing the impact of these vulnerabilities. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause a denial of service, disclose information, or execute arbitrary code.


Apply updates

Update to the latest stable version of Treck IP stack software ( or later). Please contact Treck at security@treck.com. Downstream users of embedded systems that incorporate Treck IP stacks should contact their embedded system vendor.

Block anomalous IP traffic

Consider blocking network attacks via deep packet inspection. In some cases, modern switches, routers, and firewalls will drop malformed packets with no additional configuration. It is recommended that such security features are not disabled. Below is a list of possible mitigations that can be applied as appropriate to your network environment.

  • Normalize or reject IP fragmented packets (IP Fragments) if not supported in your environment
  • Disable or block IP tunneling, both IPv6-in-IPv4 or IP-in-IP tunneling if not required
  • Block IP source routing and any IPv6 deprecated features like routing headers (see also VU#267289)
  • Enforce TCP inspection and reject malformed TCP packets
  • Block unused ICMP control messages such MTU Update and Address Mask updates
  • Normalize DNS through a secure recursive server or application layer firewall
  • Ensure that you are using reliable OSI layer 2 equipment (Ethernet)
  • Provide DHCP/DHCPv6 security with feature like DHCP snooping
  • Disable or block IPv6 multicast if not used in switching infrastructure

Further recommendations are available here.

Detect anomalous IP traffic

Suricata IDS has built-in decoder-event rules that can be customized to detect attempts to exploit these vulnerabilities. See the rule below for an example. A larger set of selected vu-257161.rules are available from the CERT/CC Github repository.

#IP-in-IP tunnel with fragments
alert ip any any -> any any (msg:"VU#257161:CVE-2020-11896, CVE-2020-11900 Fragments inside IP-in-IP tunnel https://kb.cert.org/vuls/id/257161"; ip_proto:4; fragbits:M; sid:1367257161; rev:1;)


Moshe Kol and Shlomi Oberman of JSOF https://jsof-tech.com researched and reported these vulnerabilities. Treck worked closely with us and other stakeholders to coordinate the disclosure of these vulnerabilities.

This document was written by Vijay Sarvepalli.

Original Source

Url : https://kb.cert.org/vuls/id/257161

CWE : Common Weakness Enumeration

% Id Name
47 % CWE-125 Out-of-bounds Read
12 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
12 % CWE-191 Integer Underflow (Wrap or Wraparound)
12 % CWE-20 Improper Input Validation
6 % CWE-415 Double Free
6 % CWE-200 Information Exposure
6 % CWE-190 Integer Overflow or Wraparound (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Application 1

Snort® IPS/IDS

Date Description
2020-09-09 Treck TCP/IP stack CNAME record heap overflow attempt
RuleID : 54706 - Revision : 1 - Type : PROTOCOL-DNS
2020-09-09 Treck TCP/IP stack CNAME record heap overflow attempt
RuleID : 54705 - Revision : 1 - Type : PROTOCOL-DNS
2020-07-23 Potentially suspicious fragmented IP in IP packet
RuleID : 54383 - Revision : 2 - Type : POLICY-OTHER

Alert History

If you want to see full details history, please login or register.
Date Informations
2020-10-08 17:17:34
  • Multiple Updates
2020-09-30 21:17:42
  • Multiple Updates
2020-09-25 21:17:49
  • Multiple Updates
2020-09-24 17:17:38
  • Multiple Updates
2020-09-02 17:17:39
  • Multiple Updates
2020-08-07 21:17:44
  • Multiple Updates
2020-08-07 00:17:29
  • Multiple Updates
2020-07-30 21:17:41
  • Multiple Updates
2020-07-23 17:17:27
  • Multiple Updates
2020-07-11 00:28:27
  • Multiple Updates
2020-07-11 00:17:28
  • Multiple Updates
2020-07-10 17:28:11
  • Multiple Updates
2020-07-10 17:17:27
  • Multiple Updates
2020-07-09 21:28:37
  • Multiple Updates
2020-07-09 21:17:37
  • Multiple Updates
2020-07-09 00:28:23
  • Multiple Updates
2020-07-09 00:17:29
  • Multiple Updates
2020-07-03 21:28:53
  • Multiple Updates
2020-07-03 21:17:56
  • Multiple Updates
2020-07-02 17:28:29
  • Multiple Updates
2020-07-02 17:17:29
  • Multiple Updates
2020-06-26 17:28:15
  • Multiple Updates
2020-06-26 00:17:34
  • Multiple Updates
2020-06-23 05:17:25
  • Multiple Updates
2020-06-22 17:17:27
  • Multiple Updates
2020-06-19 21:28:21
  • Multiple Updates
2020-06-19 17:17:27
  • Multiple Updates
2020-06-18 17:17:25
  • Multiple Updates
2020-06-17 17:28:12
  • Multiple Updates
2020-06-17 17:17:26
  • Multiple Updates
2020-06-16 21:17:35
  • First insertion