Treck TCP/IP (Update I)
Act Now10ICS-CERT ICSA-20-168-01Jun 16, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Treck TCP/IP stack contains multiple memory safety vulnerabilities (CWE-130, CWE-20, CWE-415, CWE-125, CWE-190, CWE-170, CWE-284) in IPv4, IPv6, UDP, TCP, DNS, DHCP, ICMPv4, and ARP protocol implementations. Remote, unauthenticated attackers can send malformed network packets to trigger these defects and achieve remote code execution or information disclosure. The vulnerabilities span core networking functions used by thousands of industrial devices, medical equipment, and infrastructure control systems. Treck confirms no patch was initially available; the vendor later issued version 6.0.1.67 as the remediated version.
What this means
What could happen
An attacker could execute arbitrary code on any device using the Treck TCP/IP stack, potentially taking control of industrial equipment like PLCs, RTUs, or networked sensors. This could alter process parameters, stop critical operations, or cause physical damage depending on what the device controls.
Who's at risk
Water utilities, electric utilities, and any facility using industrial equipment (PLCs, RTUs, networked sensors, smart meters) that embed the Treck TCP/IP stack. Affected manufacturers include Rockwell, Schneider Electric, Johnson Controls, Caterpillar, Eaton, DIGI International, Opto 22, and many others in industrial automation, healthcare, and energy sectors.
How it could be exploited
An attacker on the network sends a specially crafted packet targeting one of the vulnerable TCP/IP protocols (TCP, UDP, IPv4, IPv6, DNS, DHCP, ICMPv4, or ARP). The malformed packet triggers a memory safety defect in the Treck stack, allowing code execution. No authentication or user interaction is required; exploitation happens at the network layer before any application layer security checks.
Prerequisites
- Network access to the device (same network segment or routable path to device IP)
- Device must be running Treck TCP/IP version earlier than 6.0.1.67
- Attacker can send raw packets to at least one of the vulnerable protocols (TCP, UDP, IPv4, IPv6, DNS, DHCP, ICMPv4, ARP)
Remotely exploitable from network without authenticationLow complexity attack - pre-built network packetsActively exploited (KEV)High EPSS score (58%)No patch available from Treck at time of advisoryAffects critical OT devices in safety-related systemsVulnerabilities in core network stack affect multiple protocols simultaneously
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (8)
8 pending
ProductAffected VersionsFix Status
Treck Inc TCP/IP: IPv4IPv4No fix yet
Treck Inc TCP/IP: IPv6IPv6No fix yet
Treck Inc TCP/IP: UDPUDPNo fix yet
Treck Inc TCP/IP: DNSDNSNo fix yet
Treck Inc TCP/IP: DHCPDHCPNo fix yet
Treck Inc TCP/IP: TCPTCPNo fix yet
Treck Inc TCP/IP: ICMPv4ICMPv4No fix yet
Treck Inc TCP/IP: ARPARPNo fix yet
Remediation & Mitigation
0/4
Do now
0/3HOTFIXUpdate Treck TCP/IP stack to version 6.0.1.67 or later. Contact security@treck.com for patch availability.
WORKAROUNDDisable or restrict network access to devices running Treck TCP/IP until patching is complete. Use firewall rules to block inbound traffic from untrusted networks.
HARDENINGImplement network segmentation to isolate industrial devices from corporate networks and the internet. Use air-gapped networks or VLANs with strict access controls.
Long-term hardening
0/1HARDENINGEnable network monitoring and intrusion detection on segments containing Treck TCP/IP devices to detect anomalous packet patterns.
CVEs (19)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7835d69b-d2fa-41de-a5ae-d6120dd7a1fb