CVE-2020-11900

Vulnerability

CVE-2020-11900 is a double-free vulnerability in the IPv4 tunneling code of the Treck TCP/IP stack, affecting versions prior to 6.0.1.41 [1][2]. The bug exists in the memory handling routines for IPv4 tunnel packets and can be triggered when the stack processes specially-crafted network packets [1][2]. This vulnerability is part of the Ripple20 set of memory management bugs in the Treck stack [2].

Exploitation

An attacker can exploit this vulnerability by sending a specially-crafted IPv4 packet to a target device using an affected version of the Treck TCP/IP stack [1][2]. The attacker does not need any authentication or prior access, and the attack is performed over the network [2]. The crafted packet triggers a double-free condition in the tunnel processing code, leading to memory corruption [1].

Impact

Successful exploitation of this double-free vulnerability may allow a remote, unauthenticated attacker to achieve a range of impacts, including denial of service (DoS), information disclosure, or arbitrary code execution [2]. The exact impact depends on the implementation and surrounding system details [2]. Given the widespread use of the Treck stack in embedded systems (industrial control, medical devices, etc.), the consequences can be severe [2].

Mitigation

Treck released a fix in version 6.0.1.67 or later; contact Treck at security@treck.com for updates [2]. Downstream users should contact their embedded system vendor for patched firmware [2]. Intel also published mitigation guidance in INTEL-SA-00295 [1]. Dell has released updates for certain client platforms and Teradici firmware [4]. As of June 2020, CVE-2020-11900 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.