26 January 2021
Twentieth for Ripple20: Vulnerability in embedded web server of I/O expansion modules for IoT
A buffer overflow vulnerability in the Treck web server affects Schneider Electric TM3 series bus coupler modules.
The TM3 series bus coupler modules support distributed input-output in IoT infrastructure together with related devices such as Modicon logic controllers, communication modules and expansion modules. The web server is used for configuring devices, as demonstrated in this vendor video. It is clear that exploitation of the buffer overflow vulnerability is possible only for functions accessible when connecting to the web server via the device’s USB RNDIS interface. The vendor recommends minimizing the use of this interface until a fix becomes available.
As is typical for this type of vulnerability, its exploitation can lead to a DoS (though it is unclear whether this is a condition of the server or the device as a whole) and possibly arbitrary code execution. The vulnerability has a CVSS v3.1 base score of 10. The fact that authorization is not required to carry out an attack can be attributed to the possibility of the device using the default password (which is obvious from the video), as well as to an error in the authorization mechanism or in the functions which are accessible without any authorization at all.
Interestingly, according to the third-party developer of the web server, Treck Inc., their products, including the web server, are both secure and high performing. However, multiple vulnerability advisories and the nature of the vulnerabilities detected in Treck Inc. products do not support this statement. Researchers believe that the recent group of 19 vulnerabilities detected in Treck’s stack implementation, which is known as Ripple20, will affect IoT security for years to come.
We do give Treck Inc. credit for publishing a list of vulnerability advisories for their products on their website. However, this only partially compensates for the problems encountered with the IoT devices for which the vendor is forced to recommend isolation – in direct conflict with the purpose of these devices, which is to support constant and transparent data transfers between the physical and virtual worlds.
Vulnerability information publication date: December 18, 2020 (the date is incorrectly given as October 18 in the advisory)
Sources: NIST, Sсhneider Electric