Treck TCP/IP (Update I)

Act NowCVSS 10ICS-CERT ICSA-20-168-01Jun 16, 2020

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Treck TCP/IP stack contains multiple memory safety vulnerabilities (CWE-130, CWE-20, CWE-415, CWE-125, CWE-190, CWE-170, CWE-284) in IPv4, IPv6, UDP, TCP, DNS, DHCP, ICMPv4, and ARP protocol implementations. Remote, unauthenticated attackers can send malformed network packets to trigger these defects and achieve remote code execution or information disclosure. The vulnerabilities span core networking functions used by thousands of industrial devices, medical equipment, and infrastructure control systems. Treck confirms no patch was initially available; the vendor later issued version 6.0.1.67 as the remediated version.

What this means

What could happen

An attacker could execute arbitrary code on any device using the Treck TCP/IP stack, potentially taking control of industrial equipment like PLCs, RTUs, or networked sensors. This could alter process parameters, stop critical operations, or cause physical damage depending on what the device controls.

Who's at risk

Water utilities, electric utilities, and any facility using industrial equipment (PLCs, RTUs, networked sensors, smart meters) that embed the Treck TCP/IP stack. Affected manufacturers include Rockwell, Schneider Electric, Johnson Controls, Caterpillar, Eaton, DIGI International, Opto 22, and many others in industrial automation, healthcare, and energy sectors.

How it could be exploited

An attacker on the network sends a specially crafted packet targeting one of the vulnerable TCP/IP protocols (TCP, UDP, IPv4, IPv6, DNS, DHCP, ICMPv4, or ARP). The malformed packet triggers a memory safety defect in the Treck stack, allowing code execution. No authentication or user interaction is required; exploitation happens at the network layer before any application layer security checks.

Prerequisites

Network access to the device (same network segment or routable path to device IP)
Device must be running Treck TCP/IP version earlier than 6.0.1.67
Attacker can send raw packets to at least one of the vulnerable protocols (TCP, UDP, IPv4, IPv6, DNS, DHCP, ICMPv4, ARP)

Remotely exploitable from network without authenticationLow complexity attack - pre-built network packetsActively exploited (KEV)High EPSS score (58%)No patch available from Treck at time of advisoryAffects critical OT devices in safety-related systemsVulnerabilities in core network stack affect multiple protocols simultaneously

Exploitability

Actively exploited — confirmed by CISA KEV

Public Proof-of-Concept (PoC) on GitHub (2 repositories)

Affected products (77)

30 with fix47 pending

ProductAffected VersionsFix Status

Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9630/AP9630CH/AP9630J NMC2 AOS V6.9.4 and earlier≤ NMC2 AOS 6.9.46.9.6

Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9631/AP9631CH/AP9631J NMC2 AOS V6.9.4 and earlier≤ NMC2 AOS 6.9.46.9.6

Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9635/AP9635CH NMC2 AOS V6.9.4 and earlier≤ NMC2 AOS 6.9.46.9.6

Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9617 (discontinued in Nov 2011) Smart-UPS NMC1 v3.9.2 and earlier≤ Smart-UPS NMC1 3.9.2No fix yet

Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9619 (discontinued in Sep 2012) Smart-UPS NMC1 v3.9.2 and earlier≤ Smart-UPS NMC1 3.9.2No fix yet

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXUpdate Treck TCP/IP stack to version 6.0.1.67 or later. Contact security@treck.com for patch availability.

WORKAROUNDDisable or restrict network access to devices running Treck TCP/IP until patching is complete. Use firewall rules to block inbound traffic from untrusted networks.

HARDENINGImplement network segmentation to isolate industrial devices from corporate networks and the internet. Use air-gapped networks or VLANs with strict access controls.

Long-term hardening

0/1

HARDENINGEnable network monitoring and intrusion detection on segments containing Treck TCP/IP devices to detect anomalous packet patterns.

CVEs (19)

CVE-2020-11896 CVE-2020-11897 CVE-2020-11898 CVE-2020-11899 CVE-2020-11900 CVE-2020-11901 CVE-2020-11902 CVE-2020-11903 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11908 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7835d69b-d2fa-41de-a5ae-d6120dd7a1fb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.