Exploitable ‘Ripple20’ RCE TCP/IP Flaws Affect Hundreds of Millions of Connected Devices

Share this article on:

19 zero-day vulnerabilities have been identified in the TCP/IP communication software library developed by Treck Inc. which impact hundreds of millions of connected devices across virtually all industry sectors, including healthcare.

Treck is a Cincinnatti, OH-based company that develops low-level network protocols for embedded devices. The company may not be widely known, but its software library has been used in internet-enabled devices for decades. The code is used in many low-power IoT devices and real-time operating systems due to its high performance and reliability and is used in industrial control systems, printers, medical infusion pumps and many more.

The vulnerabilities were identified by security researchers at the Israeli cybersecurity company JSOF, who named the vulnerabilities Ripple20 because of the supply chain ripple effect.

A vulnerability in small component can have wide reaching consequences and can affect a huge number of companies and products. In the case of Ripple20, companies affected include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, B. Braun, and Baxter. JSOF has a list of 66 companies that are also potentially affected.

Four of the vulnerabilities are rated critical, with two (CVE-2020-11896 / CVE-020-11897) receiving the highest possible severity score of 10 out of 10 and the other critical bugs receiving scores of 9.0 (CVE-2020-11901) and 9.1 (CVE-2020-11898). The first three could allow remote code execution and the remaining vulnerability could result in the disclosure of sensitive information.

CVE-2020-11896 could be exploited by sending a malformed IPv4 packet to a device supporting IPv4 tunneling, and CVE-2020-11897 could be triggered by sending multiple malformed IPv6 packets to a device. Both allow stable remote code. CVE-2020-11901 can be triggered by answering a single DNS request made from a vulnerable device. This vulnerability could allow an attacker to take over a device through DNS cache poisoning and bypass all security measures.

The remaining 15 vulnerabilities range in severity from 3.1 to 8.2 and could result in information disclosure, allow a denial of service attack, and some could also potentially lead to remote code execution.

Exploitation of the vulnerabilities is possible from outside the network. An attacker could take full control of a vulnerable internet-facing device or even attack vulnerable networked devices that are not internet-enabled, if a network was infiltrated. An attacker could also broadcast an attack and take control of all vulnerable devices in the network simultaneously. These attacks require no user interaction and could be exploited in a way that bypasses NAT and firewalls. An attacker could take control of devices completely undetected and remain in control of those devices for years.

The vulnerabilities could be exploited by sending specially crafted packets that are very similar to valid packets, making it difficult to detect an attack in progress. JSOF reports that in some cases, completely valid packets could be used, which would make an attack almost impossible to detect.

“The risks inherent in this situation are high,” explained JSOF. “Just a few examples: Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years.”

The video below shows an example of an exploit on a UPS to which several devices are connected, including a drug infusion pump.

Treck is currently reaching out to its clients to warn them about the vulnerabilities. The flaws have been patched in its TCP/IPv4/v6 software, so organizations impacted by the flaws should ensure Treck’s software stack version 6.0.1.67 or higher is used.

You can view the ICS-CERT advisory here

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On