Forum Discussion
Tenable Coverage for Ripple20 Vulnerabilities - Treck TCP/IP
Tenable Coverage for Ripple20 Vulnerabilities - Treck TCP/IP Stack Detection
The Treck stack has been around for over 20 years and integrated into hundreds of products in many different ways. It is at the heart of the Ripple20 vulnerabilities. The stack has been modified based on each vendor / product's needs. Some products further have been acquired by other companies, End Of Life (EOL), End Of Support (EOS), etc. thereby adding to the complexity of the situation.
Tenable has adopted multiple approaches to detecting the Treck stack in a vendor agnostic way while trying our best to ensure the plugins are not destructive to the assets being scanned. Using multiple approaches helps enhance coverage of the diverse Treck stacks out there.
However, depending on the changes the vendors have made to the Treck stack or the way it has been integrated into their products, it may not be possible to detect all instances of the Treck stack remotely in a non-destructive way.
As vendors are releasing patches for the Ripple20 vulnerabilities in their products, we are looking into adding additional coverage on a product.
For the time being, using the recast functionality on vulnerability check for plugin ID 137702 Treck TCP/IP stack multiple vulnerabilities. (Ripple20) can help teams to acknowledge and accept the risk on the report.
Vulnerability Recast
Tenable.io - https://docs.tenable.com/tenableio/vulnerabilitymanagement/Content/Settings/AboutRecastRules.htm
Tenable.sc - https://docs.tenable.com/tenablesc/Content/RecastRiskRules.htm
Detection Plugins
- 138614 Treck/Kasago Network Stack Detection
- 138615 Treck/Kasago Network Stack Detection With IP Option.
- 137703 Treck/Kasago Network Stack Detection
Vulnerability Detection Plugins
- 137702 Treck TCP/IP stack multiple vulnerabilities. (Ripple20)
2 Replies
Hi Pablo -- is there any way Tenable can provide the logic used by the plugin to determine when the Treck stack is "detected"? The plugin is currently marking a product I'm working on as "stack detected", however I see no reason why it would do that (I've used the JSOF script directly, and none of its tests are coming back as a possible "positive" detection of the Treck stack). Also, the vendor which provides our ethernet stack has told us that the Treck code is not used in their stack.
I have an active Tenable support case on this issue, however they just pointed me to this article. I understand that I am likely seeing a false positive, but I need to understand why its occurring before I'll be satisfied with that conclusion.
Ron
