Friday, December 18, 2020

1 Advisory Published – 12-18-20

Today the CISA NCCIC-ICS published an unusual Friday control system security advisory for products from Treck.

Treck Advisory

This advisory describes four vulnerabilities in the Treck TCP/IP stack. The vulnerabilities were reported by Intel. Treck has a new version that mitigates the vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2020-25066,

• Out-of-bounds write - CVE-2020-27337, and

• Out-of-bounds read - CVE-2020-27338 and CVE-2020-27336

NOTE: These vulnerabilities are in a version where the Ripple20 vulnerabilities had already been corrected. I would suspect that just about everyone that was affected by Ripple20 as a third-party vulnerability will be affected by this.

No comments:

/* Use this with templates/template-twocol.html */