Loading

Treck Ripple20 TCP/IP Vulnerabilities Affect Multiple Rockwell Automation Products

Severity:
Low,
Critical,
Medium
Advisory ID:
PN1508
发布日期:
November 01, 2022
上次更新时间:
August 15, 2025
Revision Number:
7.0
Known Exploited Vulnerability (KEV):
否
Corrected:
是
Workaround:
是
CVE IDs
CVE-2020-11914,
CVE-2020-11910,
CVE-2020-11901,
CVE-2020-11907,
CVE-2020-11911,
CVE-2020-11912,
CVE-2020-25066,
CVE-2020-11906
摘要
Treck Ripple20 TCP/IP Vulnerabilities Affect Multiple Rockwell Automation Products

 

Revision Number

8.0

Revision History
Version 8.0 - Ausgust 15, 2025 Updated Kinetix vulnerability discrepancies
Version 7.0 - August 8, 2025 Updated affected products list and user actions
Version 6.0 – August 13,  2024. Updated affected products list and user actions
Version 5.0 – November 1, 2022. Added patch information for additional products
Version 4.0 – May 17, 2022. Updated patch information for PowerFlex 755T and 6000T
Version 3.0 – February 9, 2021. Updated for ICSA-20-353-01.
Version 2.1 - January 13, 2021. Updated to reflect additional disclosure.
Version 2.0 - July 15, 2020. Updated table to reflect affected products and versions.
Version 1.0 - June 16, 2020. Initial Release.

Executive Summary

Treck, a real-time embedded Internet Protocol software vendor, reported several vulnerabilities (named "Ripple20") to Rockwell Automation that were discovered by security researchers at JSOF, a security vendor and research organization.  The embedded TCP/IP stack (versions earlier than 6.0.1.66) from Treck is used by many different technology vendors including Rockwell Automation. These vulnerabilities, if successfully exploited, may result in remote code execution, denial-of-service, or sensitive information disclosure.

Begin Update 3.0
On December 18, 2020, Treck reported four additional vulnerabilities that were discovered by security researchers at Intel. The following components of the embedded TCP/IP stack (versions 6.0.1.67 and prior) are affected: HTTP Server, IPv6, and DCHPv6. These vulnerabilities, if successfully exploited, may result in denial-of-service conditions or remote code execution.
End Update 3.0

Since this disclosure is part of a large multi-party coordination effort with the CERT/CC 
and ICS-CERT, not every vulnerability reported by Treck impacts Rockwell Automation. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding CVE ID.


Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Affected Product Family Affected Versions CVE-2020-XXXXX
11896
11897 11898 11899 11900 11901 11902 11903 11904 11905 11906 11907 11908 11909 11910 11911 11912 11913 11914
5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT

1.011-4.011           X         X X     X X X    
5069-AENTR 3.011-4.011           X         X X     X X X    
1734-AENT/R 4.001- 6.012           X         X X     X X X    
1738-AENT/R 4.001- 6.012           X         X X     X X X    
1732E-16CFGM12R
 1732E-8X8M12DR
 1732E-IB16M12DR
1732E-IB16M12R
 1732E-OB16M12DR
 1732E-OB16M12R
2.011-2.012           X         X X     X X X    
1791ES-ID2SSIR 1.001                                      
1799ER-IQ10XOQ10 2.011           X         X X     X X X    
1794-AENTR/XT 1.011-1.017           X         X X     X X X    
1732E-12X4M12QCDR
 1732E-16CFGM12QCR
 1732E-16CFGM12QCWR
 1732E-12X4M12P5QCDR
 1732E-16CFGM12P5QCR
1.011-1.015           X         X X     X X X    
1732E-16CFGM12P5QCWR
1.011-2.011           X         X X     X X X    
PowerMonitor™ 5000 4.19           X         X X     X X X   X
PowerMonitor 1000 4.10           X         X X     X X X   X
ArmorStart® ST+ Motor Controller 1.001           X         X X     X X      
Kinetix® 5500 All*                     X X     X X X    
Kinetix® 5700 All*                     X X     X X X    
Kinetix® 5100 1.001                     X X     X X X    
PowerFlex 755T
PowerFlex 6000T
All*           X         X X     X X      
CIP Safety™ Encoder All*           X         X X     X X      

Begin Update 3.0:
Affected Product Family Affected Versions CVE
1734-AENT/R 4.001- 6.012 CVE-2020-25066
1738-AENT/R 4.001- 6.012 CVE-2020-25066
1794-AENTR
1794-AENTR/XT
1.011- 1.017 CVE-2020-25066
1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R
2.011-2.012 CVE-2020-25066
1799ER-IQ10XOQ10 2.011 CVE-2020-25066
1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR
1.011-1.015 CVE-2020-25066
1732E-16CFGM12P5QCWR 1.011-2.011 CVE-2020-25066
PowerMonitor™ 5000 4.19 CVE-2020-25066
PowerMonitor 1000 4.10 CVE-2020-25066
End Update 3.0

 

Begin Update 6.0

 

 

Affected Product Family

 

 

 

 

Affected Versions

 

 

 

 

CVE

 

 

 

 

PowerFlex 527

 

 

 

 

all

 

 

 

 

CVE-2020-25066

 

 

End Update 6.0

 

Vulnerability Details

Begin Update 3.0:
CVE-2020-25066

A vulnerability in the Treck HTTP Server components allow an attacker to cause denial-of-service condition. This vulnerability may also result in arbitrary code execution.

CVSSv3.1 Score: 9.8/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
End Update 3.0


CVE-2020-11901
There is an improper input validation issue in the DNS resolver component when handling a sent packet. A remote, unauthenticated attacker may be able to inject arbitrary code on the target system using a maliciously crafted packet.

CVSSv3.1 Score: 9.1/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2020-11906
There is an improper input validation issue in the Ethernet Link Layer component. An adjacent, unauthenticated attacker can send a malicious Ethernet packet that can trigger an integer underflow event leading to a crash or segment fault on the target device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11907
There is an improper handling of length parameter consistency issue in the TCP component. A remote, unauthenticated, attacker can send a malformed TCP packet that can trigger an integer underflow event leading to a crash or segmentation fault on the device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11910
There is an improper input validation issue in the ICMPv4 component. A remote, unauthenticated attacker can send a malicious packet that may expose data present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11911
There is an improper access control issue in the ICPMv4 component. A remote, unauthenticated attacker can send a malicious packet that can lead to higher privileges in permissions assignments for some critical resources on the destination device.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2020-11912
There is an improper input validation issue in the IPv6 component. A remote, unauthenticated attacker can send a malicious packet that may expose some data that is present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11914
There is an improper input validation issue in the ARP component. An unauthenticated, local attacker can send a malicious Layer-2 ARP packet that could lead to unintended exposure of some sensitive information on the target device.

CVSSv3.1 Score: 3.1/LOW
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Update 2.1: Rockwell Automation is aware of the additional Treck TCP/IP Stack vulnerabilities disclosed (ICSA-20-353-01). Potential impact of these vulnerabilties is currently being investigated and this advisory will be updated when the investigation concludes.

Risk Mitigation & User Action

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.
CVE Suggested Actions

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11914

For successful exploitation, these vulnerabilities require malformed TCP/IP packets to reach the destination device and an active network connection. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies.

The CERT/CC has provided IDS rules to support additional mitigations for these vulnerabilities. These rules can be found on their Github page.

ICS-CERT has provided additional network mitigations in their public disclosure.

Begin Update 3.0:
CVE Suggested Actions
CVE-2020-25066 Follow suggested actions above and, when possible, implement firewall rules to filter out packets that contain a negative content length in the HTTP header.

ICS-CERT has provided additional network mitigations in their public disclosure.

End Update 3.0


Available Fixes:

Update 8.0 August 15, 2025

 

 

CVE

 

 

 

 

Affected Product

 

 

 

 

Suggested Actions

 

 

 

 

CVE-2020-11901 
CVE-2020-11906 
CVE-2020-11907 
CVE-2020-11910 
CVE-2020-11911 
CVE-2020-11912

 

 

 

 

1794-AENTR/XT

 

 

 

 

Apply firmware v2.011 or later

 

 

(Download).

 

 

 

 

CVE-2020-11901 
CVE-2020-11906 
CVE-2020-11907 
CVE-2020-11910 
CVE-2020-11911 
CVE-2020-11912

 

 

 

 

1738-AENT

 

 

1738-AENTR

 

 

 

 

Apply firmware v6.011 or later

 

 

(Download).

 

 

 

 

CVE-2020-11901 
CVE-2020-11906 
CVE-2020-11907 
CVE-2020-11910 
CVE-2020-11911 
CVE-2020-11912

 

 

 

 

1734-AENT/K

 

 

1734-AENTR/K

 

 

 

 

 

 

 

Apply firmware

 

 

-v5.019 or later for series B

 

 

(Download).

 

 

-v7.011 or later for series C

 

 

(Download).

 

 

 

 

 

 

 

 

 

 

CVE-2020-11901 
CVE-2020-11906 
CVE-2020-11907 
CVE-2020-11910 
CVE-2020-11911 
CVE-2020-11912

 

 

 

 

5069-AENTR

 

 

 

 

Apply firmware v4.012 or later (Download).

 

 

 

 

CVE-2020-11901

 

 

CVE-2020-11906

 

 

CVE-2020-11907

 

 

CVE-2020-11910

 

 

CVE-2020-11911

 

 

CVE-2020-11912

 

 

 

 

5094-AEN2SFPR/XT

 

 

5094-AEN2TR/XT

 

 

5094-AENSFPR/XT

 

 

5094-AENTR/XT

 

 

 

 

Apply firmware v5.012 or later (Download). 

 

 

 

 

CVE-2020-11906 
CVE-2020-11907 
CVE-2020-11910 
CVE-2020-11911 
CVE-2020-11912

 

 

 

 

Kinetix 5700

 

 

 

 

Apply v13 or later (Download).

 

 

 

 

CVE-2020-11906 
CVE-2020-11907 
CVE-2020-11910 
CVE-2020-11911 
CVE-2020-11912

 

 

 

 

Kinetix 5500

 

 

 

 

 

 

 

Apply v7.013 or later

 

 

(Download).

 

 

 

 

CVE-2020-11906 
CVE-2020-11907 
CVE-2020-11910 
CVE-2020-11911 
CVE-2020-11912

 

 

 

 

Kinetix 5100

 

 

 

 

Apply v3.001 or later

 

 

(Download).

 

 

 

 

CVE-2020-11901

 

 

CVE-2020-11906

 

 

CVE-2020-11907

 

 

CVE-2020-11910

 

 

CVE-2020-11911

 

 

CVE-2020-11912

 

 

 

 

PowerFlex 755T

 

 

PowerFlex 6000T

 

 

 

 

Apply 6.005 or later for PF755T.  Apply R8 or later for PF6000T. (Download)  

 

 

 

 

 

End Update 8.0 August 15, 2025
Update 7.0 August 7, 2025

 

 

CVE

 

 

 

 

Affected Product Family

 

 

 

 

Suggested Actions

 

 

 

 

CVE-2020-25066

 

 

 

 

 

 

 

1734-AENT/K

 

 

1734-AENTR/K

 

 

 

 

Apply firmware

 

 

-v5.019 or later for series B

 

 

-v7.011 or later for series C

 

 

 

 

1738-AENT

 

 

1738-AENTR

 

 

 

 

Apply firmware v6.011 or later

 

 

 

 

1794-AENTR/XT

 

 

 

 

Apply firmware v2.011 or later

 

 

 

 

1732E-16CFGM12R

 

 

1732E-8X8M12DR

 

 

1732E-IB16M12DR

 

 

1732E-IB16M12R

 

 

1732E-OB16M12DR

 

 

1732E-OB16M12R

 

 

 

 

Apply firmware 3.011 or later.

 

 

 

 

1799ER-IQ10XOQ10

 

 

 

 

Apply firmware 3.011 or later.

 

 

 

 

1732E-12X4M12QCDR

 

 

1732E-16CFGM12QCR

 

 

1732E-16CFGM12QCWR

 

 

1732E-12X4M12P5QCDR

 

 

1732E-16CFGM12P5QCR

 

 

 

 

Apply firmware 3.011 or later.

 

 

 

 

1732E-16CFGM12P5QCWR

 

 

 

 

Apply firmware 3.011 or later.

 

 

End Update 7.0

Update Begin 6.0

 

 

CVE-2020-25066    

 

 

 

 

   PowerFlex 527            

 

 

 

 

 

 

Follow suggested actions above

and, when possible, implement

firewall rules to filter out packets

that contain a negative content

length in the HTTP header.

 

 

 

 

 

 

 

 

End Update Begin 6.0

 

General Security Guidelines

 Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that ICMPv4, TCP, ARP and DNS traffic originating from unauthorized sources is blocked.
  • Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.

Software/PC-based Mitigation Strategies
  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation® products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations
Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites
and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS
  • PN1354 - Industrial Security Advisory Index
  • Industrial Firewalls within a CPwE Architecture
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
  • https://kb.cert.org/vuls/id/257161
  • https://us-cert.cisa.gov/ics/advisories/icsa-20-353-01

 

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation 主页
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
请更新您的Cookies偏好以继续.
此功能需要Cookies来增强您的体验。请更新您的系统偏好以允许使用这些Cookies:
  • 社交媒体Cookies
  • 功能Cookies
  • 性能 Cookies
  • 市场营销Cookies
  • 所有Cookies
您可以随时更新您的系统偏好。如需了解更多信息,请参阅我们的 {0} 隐私政策
CloseClose