Today the CISA NCCIC-ICS published an unusual Friday control system security advisory for products from Treck.
Treck Advisory
This advisory describes four vulnerabilities in the Treck TCP/IP stack. The vulnerabilities were reported by Intel. Treck has a new version that mitigates the vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.
The four reported vulnerabilities are:
• Heap-based buffer overflow - CVE-2020-25066,
• Out-of-bounds write - CVE-2020-27337,
and
• Out-of-bounds read - CVE-2020-27338 and CVE-2020-27336
NOTE: These vulnerabilities are in a version where the Ripple20 vulnerabilities had already been corrected. I
would suspect that just about everyone that was affected by Ripple20 as a
third-party vulnerability will be affected by this.
Posts
No comments:
Post a Comment