The Cybersecurity Infrastructure and Security Agency (CISA) is warning of yet another TCP/IP stack vulnerability problem that could lead to remote code execution and denial-of-service attacks. The TCP/IP stack is not a visible layer, and it’s usually comprised of various protocols responsible for all Internet traffic. But, like many other components, it’s not a uniform layer, and different companies build different components, usually to cover specific needs.
In this situation, the Treck TCP/IP stack Version 220.127.116.11 is the one with issues, and it’s actually a bunch of vulnerabilities affecting various components. For example, a vulnerability in Treck HTTP Server components could let an attacker cause a denial-of-service condition. Another, an out-of-bounds write in the IPv6 component, could have let an unauthenticated user provoke a possible denial-of-service via network access.
Various implementations of the stack can be found in the critical manufacturing, information technology, healthcare and transportation systems. The stack is deployed worldwide, under many other names, including Kasago TCP/IP, ELMIC, Net+ OS, Quadnet, GHNET v2, Kwikset and AMX.
Of course, the main method of mitigation would be to get the latest patches and apply them. If that’s not possible, Trek recommends that organizations implement firewall rules to filter out packets containing a negative content-length in the HTTP header.
Fortunately, no known exploits specifically target these vulnerabilities. Attackers would need a high skill level even to begin exploiting them.
Just a few weeks ago, security researchers flagged another set of TCP/IP vulnerabilities, dubbed Amnesia:33, possibly affecting millions of OT and IoT devices.