iTnews
  • Home
  • News
  • Technology
  • Security

Network zero-days leave millions of IoT devices open to abuse

By Juha Saarinen on Jun 17, 2020 1:07PM
Network zero-days leave millions of IoT devices open to abuse

Widely-used Treck TCP/IP library becomes supply chain security risk.

Security researchers analysing a network stack used in hundreds of millions of devices found that it contained serious vulnerabilities that could be exploited by attackers for remote code execution and data exfiltration.

The software library is made by Treck, which specalises in transmission control protocol/internet protocol (TCP/IP) networking stacks for embedded devices.

JSOF, which started analysing Treck's software in September last year, found a total of 19 vulnerabilities.

Of these, four are marked as critical, having ratings over 9 under the Common Vulnerabilities Scoring System version 3 and can be considered as zero-days, JSOF said.

Two critical vulnerabilities that can be triggered by sending multiple malformed internet protocol version 4 and 6 packets to devices can be exploited for remote code execution, and carry the maximum 10 out of 10 severity score under CVSSv3.

Another remote code excution vulnerability rates 9 out of 10 on CVSSv3 but JSOF said that in its opinion, it is the most serious of all as domain name system (DNS) lookups can leave the network in which the device is located, allowing attackers to take over equipment through resolver cache poisoning.

Such a vulnerability can bypass security measures and will likely be difficult for firewalls and similar products to detect, JSOF said.

The software library is found in a large number of applications, ranging from industrial controllers to medical devices, printers, transportation systems, aviation, network equipment, government and national security, enterprise devices and more.
 
JSOF has confirmed that devices from several well-known brands such as HP, Schneider Electric, Intel, Caterpillar and Baxter used vulnerable versions of the Treck TCP/IP stack.

If the vulnerable devices face the internet, attackers could use the vulnerabilities to take them over, or compromise them to lie hidden in networks for years.

Bypassing network address translation (NAT) is also possible from the outside world, JSOF noted.

Apart from applying patches to vulnerable devices, JSOF recommends administrators try to filter out anomalous TCP/IP traffic to mitigate against exploitation.

Products that can't be updated should not be accessible from the internet unless it's absolutely necessary, and network exposure for these should be kept to a minimum, JSOF suggested.

Treck has acknowledged the vulnerabilities, issued patches for them and also notified its customers.

JSOF said working with Treck was "initally challenging" as the company appears to have never been the target of independent security research.

Treck also took the information disclosed by JSOF to litigation lawyers, the security vendor said.

After asking vendors that use the TCP/IP stack such as Digi, HP, Intel and Quadros for help, JSOF was able to make contact with Treck and work with the company to address the many vulnerabilities in its software.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
baxetercaterpillarhpinteljsofripple20rocwellschneider electricsecuritytreck

Partner Content

Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage
Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
  • Forrester Technology & Innovation Asia Pacific 2022
By Juha Saarinen
Jun 17 2020
1:07PM
0 Comments

Related Articles

  • Intel memory firmware bug hits hundreds of products
  • HP patches critical bugs in Teradici PCoIP software
  • Emergency patches out for exploited Apple zero-days
  • HP printers carry code execution bug
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation

Service NSW hits digital services goal two years early

Service NSW hits digital services goal two years early

NBN Co taking orders for 'non-premises' connections

NBN Co taking orders for 'non-premises' connections

Australian scientists build world's first quantum computer IC

Australian scientists build world's first quantum computer IC

Digital Nation

COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
The security threat of quantum computing
The security threat of quantum computing
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.