Security Vulnerabilities in Treck TCP/IP Software

Applies To:

See description for details.

Versions Affected:

See description for details.

Resolved In Version:

10.3b

Symptoms:

The Cybersecurity and Infrastructure Security Agency (CISA) issued an Industrial Control Systems (ICS) Advisory (ICSA-20-168-01) detailing 19 different vulnerabilities in the Treck TCP/IP software, which Opto 22 uses for network communication in some of its products. These vulnerabilities are referred to collectively as "Ripple20".

Opto 22 has reviewed its product set for exposure to these vulnerabilities and has determined that the following sub-set of vulnerabilities affects the listed products:

CVE ID	Description	Affected Products
CVE-2020-11901	Possible remote code execution via a single invalid DNS response.	The following products with firmware versions R9.1a or later: SNAP-PAC-S1 SNAP-PAC-S1-FM SNAP-PAC-S1-W SNAP-PAC-S2 SNAP-PAC-S2-W SNAP-PAC-R1 SNAP-PAC-R1-FM SNAP-PAC-R1-W SNAP-PAC-R1-B SNAP-PAC-R2 SNAP-PAC-R2-FM SNAP-PAC-R2-W
CVE-2020-11904	Integer Overflow during Memory Allocation that causes an Out-of-Bounds Write	The following products with firmware versions R1.0a or later: SNAP-PAC-S1, SNAP-PAC-S1-FM, SNAP-PAC-S1-W SNAP-PAC-S2, SNAP-PAC-S2-W SNAP-PAC-R1, SNAP-PAC-R1-FM, SNAP-PAC-R1-W, SNAP-PAC-R1-B SNAP-PAC-R2, SNAP-PAC-R2-FM, SNAP-PAC-R2-W SNAP-PAC-EB1, SNAP-PAC-EB1-FM, SNAP-PAC-EB1-W SNAP-PAC-EB2, SNAP-PAC-EB2-FM, SNAP-PAC-EB2-W G4EB2
CVE-2020-11906	Ethernet Link Layer Integer Underflow
CVE-2020-11907	Length Parameter Inconsistency in TCP
CVE-2020-11911	Improper ICMPv4 Access Control
CVE-2020-11912	TCP Out-of-bounds Read
CVE-2020-11914	ARP Out-of-bounds Read

Opto 22 continues to study the effects of these vulnerabilities and will update this article with new information as it becomes available.

Remediation and Mitigation
Opto 22 has released a firmware update (R10.3b) that remediates these vulnerabilities for the indicated products. If you choose not to apply this firmware update, review the following cybersecurity best practices (as mentioned in the ICS-CERT advisory for Ripple20):

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Use an internal DNS server that performs DNS-over-HTTPS for lookups.

In addition, review the mitigation recommendations of the CERT Coordination Center (part of Carnegie Mellon University's Software Engineering Institute) in VU#257161 network mitigations in Github.

More Information About Security and Opto 22 Products
In addition to applying the fix, you can review the following series of OptoBlog postings on security, which can help you review your current practices and identify areas of improvement:

Subscribe to our Opto Blog to be notified of updates to this KB article and other information about Opto 22 products.

Resolution:

Opto 22 has resolved this issue.

Questions?

Contact: Opto 22 Product Support.
Phone: 800-835-6786 or 951-695-3080
Email: support@opto22.com

DISCLAIMER

This Opto 22 Knowledge Base ('OptoKB') article is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this OptoKB article is not intended to constitute application, design, software, or other professional engineering advice or services. Opto 22 may modify the OptoKB articles at any time. Before making any decision or taking any action which might affect your equipment, you should consult a qualified professional.

OPTO 22 DOES NOT WARRANT THE COMPLETENESS, TIMELINESS, OR ACCURACY OF THE DATA CONTAINED IN THIS OPTOKB ARTICLE AND MAY MAKE CHANGES THERETO AT ANY TIME AT ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS 'AS IS.' IN NO EVENT SHALL OPTO 22 BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT, OR DAMAGE, EVEN IF OPTO 22 HAS BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES.

OPTO 22 DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED WITH RESPECT TO THE INFORMATION (INCLUDING HARDWARE, SOFTWARE, AND/OR FIRMWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTIBILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not sanction the exclusion of implied warranties: thus, this disclaimer may not apply to you.