Last week JSOF, a cybersecurity team, released 19 vulnerabilities found in a library developed by Treck, Inc. Two of these include code execution vulnerabilities. According to the report, millions of devices ranging from printers to other embedded networking devices use the Treck library as the TCP/IP stack.
JSOF hasn’t released too many details on most of the vulnerabilities except for the two most critical ones. In both cases, the researchers were able to abuse IP tunneling and packet fragmentation to carry out a buffer overflow attack. This allows malicious code to run without any user input. For those interested in the technical side, JSOF published the white paper on the two vulnerabilities here. (Behind an email gate.)
Treck, Inc has provided networking code for almost 20 years and has integrated into the supply chain of many devices including Intel and HP. Devices with Treck libraries installed seem to mostly come in IoT devices and Programmable Logic Controller (PLC) but we still don’t know the extent of the vulnerable devices.
For devices in your network, patching the vulnerable devices provides the best protection, but not all devices will have patches available. For now, JSOF recommends the following steps to protect your network. We also provide what the Firebox can do to help you with the recommended steps.
- Normalize or block IP fragments, disable or block IP tunneling, enforced TCP inspection, and reject malformed TCP packets. The Firebox blocks malformed IP packets and TCP segments. Simply having the Firebox route the traffic will cover most attack surfaces.
- To prevent bypassing perimeter protections, you should block IP source routing, and IPv6 routing The WatchGuard default configuration will block source routing in the Default Packet Handling. Don’t enable this unless you know what it means and you know a program needs this enabled to function.
- Normalize DNS through a secure recursive server or DNS inspection firewall. The Firebox provides DNS inspection through the DNS proxy.
- JSOF also recommends securing DHCP and use static IPs if possible. In extreme cases, like protecting critical infrastructure, you may want to disable DHCP. Before you disable DHCP, understand that to send malicious DHCP packets, one must first bypass the firewall and create a DHCP server inside your network. Furthermore, the Firebox won’t allow DHCP packets from one network to another unless configured to do so. To prevent internal attacks, configure any downstream switch with DHCP snooping if supported.
Any device protected by the Firebox isn’t susceptible to this attack unless someone bypasses your network perimeter. As we hear more about this new vulnerability we will update you here. Additionally, WatchGuard doesn’t use Treck software on any Firebox, or AP. All WatchGuard devices are NOT vulnerable.