ID CVE-2020-27336 Type cve Reporter cve@mitre.org Modified 2020-12-23T16:44:00
Description
An issue was discovered in Treck IPv6 before 6.0.1.68. Improper input validation in the IPv6 component when handling a packet sent by an unauthenticated remote attacker could result in an out-of-bounds read of up to three bytes via network access.
{"id": "CVE-2020-27336", "bulletinFamily": "NVD", "title": "CVE-2020-27336", "description": "An issue was discovered in Treck IPv6 before 6.0.1.68. Improper input validation in the IPv6 component when handling a packet sent by an unauthenticated remote attacker could result in an out-of-bounds read of up to three bytes via network access.", "published": "2020-12-22T22:15:00", "modified": "2020-12-23T16:44:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27336", "reporter": "cve@mitre.org", "references": ["https://treck.com/vulnerability-response-information/"], "cvelist": ["CVE-2020-27336"], "type": "cve", "lastseen": "2020-12-24T13:57:54", "edition": 2, "viewCount": 27, "enchantments": {"dependencies": {"references": [{"type": "hp", "idList": ["HP:C06990695"]}, {"type": "ics", "idList": ["ICSA-20-353-01"]}, {"type": "thn", "idList": ["THN:16FE02C52CCB308E7739CDE97FA32A3C"]}], "modified": "2020-12-24T13:57:54", "rev": 2}, "score": {"value": 3.9, "vector": "NONE", "modified": "2020-12-24T13:57:54", "rev": 2}, "twitter": {"counter": 10, "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1341808303140196352", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-27336 (ipv6)) has been published on https://t.co/NVD0B6UDCd?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1341682665485905921", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (Treck IPv6 prior 6.0.1.68 out-of-bounds read [CVE-2020-27336]) has been published on https://t.co/adfpPYspdJ?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1341682665485905921", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (Treck IPv6 prior 6.0.1.68 out-of-bounds read [CVE-2020-27336]) has been published on https://t.co/adfpPYspdJ?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1341807227540267011", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-27336 (ipv6)) has been published on https://t.co/5WhkfaAkoQ?amp=1"}, {"link": "https://twitter.com/SecRiskRptSME/status/1341663960857251840", "text": "RT:\n\nCVE-2020-27336 An issue was discovered in Treck IPv6 before 6.0.1.68. Improper input validation in the IPv6 component when handling a packet sent by an unauthenticated remote attacker could result in an out-of-bounds read of up to three bytes via networ... \u2026"}, {"link": "https://twitter.com/SecRiskRptSME/status/1341663960857251840", "text": "RT:\n\nCVE-2020-27336 An issue was discovered in Treck IPv6 before 6.0.1.68. Improper input validation in the IPv6 component when handling a packet sent by an unauthenticated remote attacker could result in an out-of-bounds read of up to three bytes via networ... \u2026"}, {"link": "https://twitter.com/WolfgangSesin/status/1341682656954691584", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (Treck IPv6 prior 6.0.1.68 out-of-bounds read [CVE-2020-27336]) has been published on https://t.co/7GTzB6qek0?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1341682656954691584", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (Treck IPv6 prior 6.0.1.68 out-of-bounds read [CVE-2020-27336]) has been published on https://t.co/7GTzB6qek0?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1349187053439885316", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (Multiple Treck vulnerabilities CVE-2020-25066, CVE-2020-27336, CVE-2020-27337, and CVE-2020-27338) has been published on https://t.co/TAl4ZGk0re?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1349187045844004866", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (Multiple Treck vulnerabilities CVE-2020-25066, CVE-2020-27336, CVE-2020-27337, and CVE-2020-27338) has been published on https://t.co/NhSJ8KE3DO?amp=1"}], "modified": "2020-12-24T13:57:54"}, "vulnersScore": 3.9}, "cpe": [], "affectedSoftware": [{"cpeName": "treck:ipv6", "name": "treck ipv6", "operator": "lt", "version": "6.0.1.68"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:treck:ipv6:6.0.1.68:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.1.68", "vulnerable": true}], "operator": "OR"}]}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, "cpe23": [], "cwe": ["CWE-125"], "scheme": null}
{"hp": [{"lastseen": "2020-12-27T15:26:43", "bulletinFamily": "software", "cvelist": ["CVE-2020-27338", "CVE-2020-27336", "CVE-2020-27337"], "description": "## Potential Security Impact\nDenial of Service\n\n**Source:** HP, HP Product Security Response Team (PSRT) \n\n## VULNERABILITY SUMMARY\nHP has identified a potential security vulnerability with the IPv6 network stack of certain HP and Samsung branded printers that could result in a denial of service.\n\n## RESOLUTION\nHP is actively investigating the referenced potential security vulnerability. Please subscribe to HP Security Bulletin alerts as described below for further updates on the issue. The current recommendation to help mitigate potential exploitation of the vulnerability is to disable IPv6 on the printer.\n\nTo disable IPv6, access the Embedded Web Server (EWS) on the printer, and then select Enable IPv4 only as illustrated below. \n\n\n\nFor more information on accessing the EWS, refer to HP Printers - Using the HP Printer Embedded Web Server (EWS). \n", "edition": 1, "modified": "2020-12-27T00:00:00", "published": "2020-12-27T00:00:00", "id": "HP:C06990695", "href": "https://support.hp.com/us-en/document/c06990695", "title": "HPSBPI03709 rev. 1 - Certain HP and Samsung-branded Print Products - IPv6 Network Stack Vulnerability", "type": "hp", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2020-12-23T08:21:16", "bulletinFamily": "info", "cvelist": ["CVE-2020-25066", "CVE-2020-27336", "CVE-2020-27337", "CVE-2020-27338"], "description": "[](<https://thehackernews.com/images/-UD0rDsl5aC0/X-Lo00vPygI/AAAAAAAABUw/roisEcRSbQ4jssrvBxOQ_cD2MlnVzsZUwCLcBGAsYHQ/s0/iot-devices.jpg>)\n\nThe US Cybersecurity Infrastructure and Security Agency (CISA) has [warned](<https://us-cert.cisa.gov/ics/advisories/icsa-20-353-01>) of critical vulnerabilities in a low-level TCP/IP software library developed by Treck that, if weaponized, could allow remote attackers to run arbitrary commands and mount denial-of-service (DoS) attacks.\n\nThe four flaws affect Treck TCP/IP stack version 6.0.1.67 and earlier and were reported to the company by Intel. Two of these are rated critical in severity.\n\nTreck's embedded TCP/IP stack is deployed worldwide in manufacturing, information technology, healthcare, and transportation systems.\n\nThe most severe of them is a heap-based buffer overflow vulnerability (**CVE-2020-25066**) in the Treck HTTP Server component that could permit an adversary to crash or reset the target device and even execute remote code. It has a CVSS score of 9.8 out of a maximum of 10.\n\nThe second flaw is an out-of-bounds write in the IPv6 component (**CVE-2020-27337**, CVSS score 9.1) that could be exploited by an unauthenticated user to cause a DoS condition via network access.\n\nTwo other vulnerabilities concern an out-of-bounds read in the IPv6 component (**CVE-2020-27338**, CVSS score 5.9) that could be leveraged by an unauthenticated attacker to cause DoS and an improper input validation in the same module (**CVE-2020-27336**, CVSS score 3.7) that could result in an out-of-bounds read of up to three bytes via network access.\n\nTreck [recommends](<https://treck.com/vulnerability-response-information/>) users to update the stack to version 6.0.1.68 to address the flaws. In cases where the latest patches cannot be applied, it's advised that firewall rules are implemented to filter out packets that contain a negative content-length in the HTTP header.\n\nThe disclosure of new flaws in Treck TCP/IP stack comes six months after Israeli cybersecurity company JSOF uncovered 19 vulnerabilities in the software library \u2014 dubbed [Ripple20](<https://thehackernews.com/2020/06/new-critical-flaws-put-billions-of.html>) \u2014 that could make it possible for attackers to gain complete control over targeted IoT devices without requiring any user interaction.\n\nWhat's more, earlier this month, Forescout researchers revealed 33 vulnerabilities \u2014 collectively called [AMNESIA:33](<https://thehackernews.com/2020/12/amnesia33-critical-tcpip-flaws-affect.html>) \u2014 impacting open-source TCP/IP protocol stacks that could be abused by a bad actor to take over a vulnerable system.\n\nGiven the complex IoT supply chain involved, the company has released a new detection tool called \"project-memoria-detector\" to identify whether a target network device runs a vulnerable TCP/IP stack in a lab setting.\n\nYou can access the tool via GitHub [here](<https://github.com/Forescout/project-memoria-detector>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-12-23T06:51:43", "published": "2020-12-23T06:51:00", "id": "THN:16FE02C52CCB308E7739CDE97FA32A3C", "href": "https://thehackernews.com/2020/12/new-critical-flaws-in-treck-tcpip-stack.html", "type": "thn", "title": "New Critical Flaws in Treck TCP/IP Stack Affect Millions of IoT Devices", "cvss": {"score": 0.0, "vector": "NONE"}}], "ics": [{"lastseen": "2020-12-24T17:22:47", "bulletinFamily": "info", "cvelist": ["CVE-2020-27338", "CVE-2020-27336", "CVE-2020-25066", "CVE-2020-27337"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION: **Exploitable remotely\n * **Vendor:** Treck Inc.\n * **Equipment:** TCP/IP\n * **Vulnerability**: Heap-based Buffer Overflow, Out-of-bounds Read, Out-of-bounds Write\n\nThe Treck TCP/IP stack may be known by other names such as Kasago TCP/IP, ELMIC, Net+ OS, Quadnet, GHNET v2, Kwiknet, or AMX.\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability may allow remote code execution and a denial-of-service condition.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following components of Treck TCP/IP stack Version 6.0.1.67 and prior are affected:\n\n * HTTP Server \n * IPv6\n * DHCPv6\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [HEAP-BASED BUFFER OVERFLOW CWE-122](<https://cwe.mitre.org/data/definitions/122.html>)\n\nA vulnerability in Treck HTTP Server components allow an attacker to cause a denial-of-service condition. This vulnerability may also result in arbitrary code execution.\n\n[CVE-2020-25066](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25066>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.2 [OUT-OF-BOUNDS WRITE CWE-787](<https://cwe.mitre.org/data/definitions/787.html>)\n\nAn out-of-bounds write in the IPv6 component may allow an unauthenticated user to potentially cause a possible denial-of-service via network access.\n\n[CVE-2020-27337](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27337>) has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H>)).\n\n#### 3.2.3 [OUT-OF-BOUNDS READ CWE-125](<https://cwe.mitre.org/data/definitions/125.html>)\n\nAn issue was discovered in Treck IPv6. An out-of-bound read in the DHCPv6 client component may allow an unauthenticated user to cause a possible denial-of-service via adjacent network access.\n\n[CVE-2020-27338](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27338>) has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H>)).\n\n#### 3.2.4 [OUT-OF-BOUNDS READ CWE-125](<https://cwe.mitre.org/data/definitions/125.html>)\n\nImproper input validation in the IPv6 component may allow an unauthenticated user to cause an out-of-bounds read of up to three bytes via network access.\n\n[CVE-2020-27336](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27336>) has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Critical Manufacturing, Information Technology, Healthcare and Public Health, Transportation Systems\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **United States\n\n### 3.4 RESEARCHER\n\nIntel reported these vulnerabilities to Treck.\n\n## 4\\. MITIGATIONS\n\nTreck recommends users apply the latest version of the affected products (Treck TCP/IP 6.0.1.68 or later versions). To obtain patches, email [security@treck.com](<mailto:security@treck.com>)\n\nTreck recommends users who cannot apply the latest patches to implement firewall rules to filter out packets that contain a negative content length in the HTTP header.\n\nFor more detailed information on the vulnerabilities and the mitigating controls, please see the [Treck advisory](<https://treck.com/vulnerability-response-information/>). \n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nHigh skill level is needed to exploit. No known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/icsa-20-353-01>); we'd welcome your feedback.\n", "edition": 2, "modified": "2020-12-18T00:00:00", "published": "2020-12-18T00:00:00", "id": "ICSA-20-353-01", "href": "https://www.us-cert.gov//ics/advisories/icsa-20-353-01", "title": "Treck TCP/IP Stack", "type": "ics", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
