Critical 'Ripple20' Vulnerabilities Affecting Millions of Internet Connected Devices

Treck TCP/IP is a high-performance TCP/IP protocol suite designed for embedded systems.
A set of 19 critical and high-severity security vulnerabilities have been discovered by Israeli security research firm JSOF in a low-level TCP/IP software library developed by Treck.
Dubbed “Ripple20“, affecting hundreds of millions of internet of things (IoT) and industrial control devices. If an attacker weaponizes these vulnerabilities, it could allow the perpetrator to gain complete control over targeted devices without requiring any user interaction.

Affected hardware includes everything from connected printers to medical infusion pumps and industrial-control gear, according to researchers at JSOF’s research lab.

These vulnerabilities exist in connected devices offered by various companies including Schneider Electric, Caterpillar, Cisco, HP, Intel, Rockwell Automation, among others. Also, other major international vendors suspected of being vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries.

“The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain ‘ripple-effect,’” researchers said in a posting on Tuesday. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people.

One of the vulnerabilities could enable entry from outside into the network boundaries; this is only a small taste of the potential risks.


The Most Critical Vulnerabilities

There are four critical vulnerabilities in Treck TCP/IP stack, with CVSS scores more than 9, which could let attackers execute arbitrary code on targeted devices remotely, and one critical bug affects the DNS protocol. If successfully exploited, data could be stolen off of a printer, a medical device’s behavior could be tampered with, or industrial control devices could be made to malfunction. Also, an attacker could hide malicious code within embedded devices for years.

  • [CVE-2020-11896] CVSS v3 base score 10.0:
    • The flaws exist due to improper handling of length parameter inconsistency in the IPv4/UDP component when a crafted packet sent by an unauthorized network attacker.
    • This vulnerability can be exploited by sending malformed IPv4 packets to a device supporting IPv4 tunneling. Successful exploitation could result in remote code execution.
  • [CVE-2020-11897] CVSS v3 base score 10.0:
    • The flaws exist due to improper handling of length parameter inconsistency in the IPv6 component when a crafted packet sent by an unauthorized network attacker.
    • This vulnerability can be exploited by sending multiple malformed IPv6 packets to a device running treck. It affects any device running an older version of Treck with IPv6 support. Successful exploitation could result in possible out-of-bounds write and remote code execution.
  • [CVE-2020-11898] CVSS v3 base score 9.1:
    • The flaws exist due to improper handling of length parameter inconsistency in the IPv4/ICMPv4 component when a crafted packet sent by an unauthorized network attacker.
    • This vulnerability can be exploited by sending multiple malformed ICMP packets to a device running treck. Successful exploitation could result in the exposure of sensitive information.
  • [CVE-2020-11901] CVSS v3 base score 9.0:
    • The flaws exist due to improper input validation in the DNS resolver component when a crafted packet sent by an unauthorized network attacker.
    • This vulnerability can be exploited by answering a single DNS request made from the device. Successful exploitation could result in remote code execution.
    • A sophisticated attacker could use this vulnerability to take over a device from outside the network through DNS cache poisoning, or other methods. An attacker can then infiltrate the network and take over the device with one vulnerability bypassing any security measures.

Other vulnerabilities range from high-severity with CVSS score 8.2 such as CVE-2020-11900, a Double Free flaw to low-severity with CVSS score 3.1 such as CVE-2020-11908, Improper Null termination in DHCP component and effects ranging from denial of service to potential remote code execution.

Remaining vulnerabilities details can be found at JSOFs Ripple20 disclosure.

According to researchers, effective exploitation can lead to a host of bad outcomes, such as the remote takeover of devices and lateral movement within the compromised network; broadcast attacks that can take over all impacted devices in the network simultaneously; hiding within an infected device for stealthy recon, and bypassing network address traversal (NAT) protections.

Most of the vulnerabilities are true zero-days, with four of them having been closed over the years as part of routine code changes, but remained open in some of the affected devices (three lower severity, one higher). Many of the vulnerabilities have several variants due to the Stack configurability and code changes over the years.


JSOF has demonstrated the exploitation of these vulnerabilities on different devices as a proof-of-concept.


Impact

The exploitation of these vulnerabilities could allow attackers for remote code execution, denial-of-service (DoS) attacks, and obtain potentially sensitive information.


Solution

Treck has issued a patch for use by OEMs in the latest Treck stack version (6.0.1.67 or higher).

In addition to advisories from ICS CERT, and CERTCC, tech giants like Intel, HP, Schneider Electric, Caterpillar, B.Braun, Green Hills, Rockwell Automation, Cisco have also released their advisories.

We strongly recommend installing these security updates without any delay.


Summary
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *