Hundreds of Millions of Connected Devices Affected By Exploitable ‘Ripple20’ RCE TCP/IP Flaws

There were 19 zero-day vulnerabilities identified in the TCP/IP communication software library that Treck Inc. developed. Innumerable connected devices throughout practically all industry sectors, which include healthcare, were affected.

Treck is a company based in Cincinnati, OH that designs low-level network protocols for embedded devices. Though not widely known, the company’s software library has been utilized in internet-enabled devices for many years. The code is utilized in numerous low-power IoT devices and real-time operating systems because of its good performance and dependability and is employed in printers, industrial control systems, medical infusion pumps and more.

Security researchers at the Israeli cybersecurity firm JSOF identified the vulnerabilities and named them Ripple20 due to the supply chain ripple effect.

A vulnerability found in the compact components can have extensive consequences and may have an impact on a big number of firms and products. For Ripple20, some of the firms affected include HP, Intel, Rockwell Automation, Schneider Electric, Caterpillar, B. Braun, and Baxter. JSOF has a listing of 66 firms that are possibly affected as well.

There were four vulnerabilities rated as critical. Two vulnerabilities (CVE-2020-11896 / CVE-020-11897) received the maximum possible severity score of 10 and the other critical bugs received scores of 9.0 (CVE-2020-11901) and 9.1 (CVE-2020-11898). The first three vulnerabilities could make remote code execution. The remaining vulnerability could bring about the disclosure of sensitive information.

An attacker can exploit CVE-2020-11896 by sending a malformed IPv4 packet to a device supporting IPv4 tunneling. CVE-2020-11897 may be brought on by delivering several malformed IPv6 packets to a unit. The two allow stable remote code. CVE-2020-11901 may be brought on by replying to a single DNS request created from a vulnerable gadget. An attacker exploiting this vulnerability could take over a device by means of DNS cache poisoning and get around all security protocols.

The last 15 vulnerabilities have varying severity ranging from 3.1 to 8.2 and could cause information disclosure, permit a denial of service attack, and some can also potentially lead to remote code execution.

The exploitation of the vulnerabilities can be done from outside the network. An attacker can take control of a vulnerable internet-facing device or attack insecure networked devices that are not internet-enabled, in case a network was penetrated. An attacker can additionally broadcast an attack and seize control of all insecure devices in the network at the same time. These attacks do not require user interaction and can be exploited bypassing NAT and firewalls. An attacker can take command of devices 100 % undiscovered and stay in control of those devices for many years.

The vulnerabilities may be exploited by delivering specially created packets that are quite similar to valid packets, so it is difficult to identify an ongoing attack. JSOF mentioned that in certain instances, totally valid packets can be utilized, which would make an attack basically impossible to identify.

A few examples of exploitation include stealing of data from a printer, changing an infusion pump behavior, or malfunctioning of industrial control devices. An attacker could conceal malicious code in embedded devices for many years.

Treck is presently informing its clients to alert them about the vulnerabilities. The flaws have been patched in its TCP/IPv4/v6 applications, thus organizations impacted by the flaws must ensure to use Treck’s software stack version or higher.

The ICS-CERT advisory can be viewed here.