CVE-2020-11903

Vulnerability

The Treck TCP/IP stack versions before 6.0.1.28 contain an out-of-bounds read vulnerability in the DHCP component [1][2]. This bug is part of the Ripple20 set of vulnerabilities affecting Treck IP stack implementations in embedded systems [1][2]. The vulnerability exists in the DHCP parsing logic, which when processing specially crafted DHCP packets can read memory beyond the intended buffer boundaries.

Exploitation

A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted DHCP packet to a target device running an affected version of the Treck TCP/IP stack [1][2]. No authentication or prior access is required. The attacker only needs network connectivity to the target device to send the malicious packet.

Impact

Successful exploitation could allow an attacker to read out-of-bounds memory, potentially leading to the disclosure of sensitive information [1][2]. In some configurations, this out-of-bounds read could be leveraged for further impact such as denial of service or arbitrary code execution, depending on the build options of the embedded system [1][2].

Mitigation

The official fix is to update the Treck IP stack to version 6.0.1.67 or later [1][2]. For downstream users of embedded systems incorporating Treck IP, updates must be obtained from the respective device vendor [1][2]. Dell and Cisco have released advisories identifying affected products and providing fixes [3][4]. Network-based mitigations such as deep packet inspection or blocking anomalous DHCP traffic may also reduce risk [1][2].