Ripple20 bugs expose hundreds of millions of devices to attacks

Hundreds of millions of connected devices may be vulnerable to remote attacks due to a series of 19 vulnerabilities in a popular TCP/IP software library developed by a software company called Treck. Collectively dubbed Ripple20, the flaws affect IoT devices produced by specialized boutique vendors as well as multiple Fortune 500 companies, according to Israel-based security company JSOF, which discovered the security holes.

Vulnerable products include smart-home devices, industrial control systems, medical and healthcare systems, and even devices used in key parts of infrastructure such as energy, transportation, communication and the government and national security sectors.

JSOF highlighted a few possible high-risk scenarios that could occur if these flaws were to be weaponized:

“Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries;” they said, before adding that this was just a sample of the damage that could be wreaked.

A major challenge faced by the researchers involved tracking the distribution trail of Treck’s TCP/IP library. They found out that over the last 20 years it has made its way into countless devices distributed around the world. They even discovered different branches of the library due to Treck’s joint project with a Japanese company in the 1990s, with which Treck later parted ways.

According to a security advisory by the Department of Homeland Security’s Cybersecurity and Infrastructure and Security Agency (CISA), four vulnerabilities are rated critical and earned a base score of above 9 on the CVSSv3 vulnerability scale (the scale rates from 1 to 10).

Two flaws – CVE-2020-11896 and CVE-2020-11897 – earned a “perfect” severity score of 10, underlining the seriousness of the issue. The former could result in remote code execution while the latter may result in an out‑of‑bounds write. Two more vulnerabilities were rated as critical: CVE-2020-11898 could lead to information leakage and CVE-2020-11901 could allow remote code execution through a single invalid DNS response.

RELATED READING: What happens when the global supply chain breaks?

Four loopholes – one high- and three low-severity – have been closed over the years due to routine code changes, but remained open on some affected devices, while many others have multiple variants due to the TCP/IP stack configurability and changes.

However, Ripple20 still presents a sizable risk for devices that are still in use. “In all scenarios, an attacker can gain complete control over the targeted device remotely, with no user interaction required,” said JSOF.

To mitigate the risks, JSOF has a variety of recommendations, including comprehensive risk assessment before defensive measures are deployed. Computer emergency response teams (CERT) such as Carnegie Mellon’s CERT Coordination Center as well as JPCERT/CC, and CERT IL have also released advisories on how to handle risks stemming from Ripple20. If patches have been released, you should apply them now.

17 Jun 2020 – 09:00PM