19 zero-day vulnerabilities dubbed Ripple20 were found in the TCP/IP stack of IoT specific software from Treck. This puts millions of IoT devices at risk as the software designed to enable internet connections is riddled with vulnerabilities itself.
According to the disclosure by JSOF, Ripple20 vulnerabilities are unique both in their widespread effect and impact magnified by the supply chain factor. The vulnerabilities allows attackers to bypass NAT and firewalls and take control of devices undetected, with no user interaction required. Once a user is able to connect to a target device, they can paralyse or run malicious code. Affected devices range from power supply systems in data centres to the programmable logic controllers.
Here’s a comment from Scott Caveza, Research Engineering Manager at Tenable on Ripple20
“Ripple20 is a set of 19 vulnerabilities discovered by JSOF. The vulnerabilities exist in the TCP/IP software library developed by Treck, Inc. Since these vulnerabilities exist in a low-level TCP/IP stack used by dozens of vendors and devices, it’s difficult to determine how many vendors will acknowledge, let alone release patches for affected devices. Adding to the difficulty, many of these are IoT/SCADA devices, which may be difficult to patch or upgrade. At the time the report was released, eight vendors were confirmed to be affected, five were listed as not affected and an overwhelming 66 are still pending.
JSOF notes that the affected library exists in sensitive devices, such as those found in industrial control applications, medical devices, power grids, oil and gas and more. As concerning as these 19 vulnerabilities are, this report highlights an often overlooked security concern: vendors reusing and repurposing common software libraries. This practice creates challenges when it comes to identifying and patching logic and security issues in code, as it becomes a vendor-specific issue. A fix for one vulnerability might have multiple solutions from various vendors, and it’s possible specific patch attempts could open up additional attack vectors if not properly implemented.
The JSOF report on Ripple20 includes several risk scenarios of how these vulnerabilities can be used individually or in a chained attack, including an outside attacker taking control over an internet-facing device. The most severe of these vulnerabilities include two remote code execution flaws (CVE-2020-11896, CVE-2020-11901) and an out-of-bounds (OOB) write vulnerability (CVE-2020-11897). These vulnerabilities do not require any user interaction and many of the packets would look like legitimate TCP/IP traffic, likely to go undetected by intrusion detection systems (IDS) or intrusion prevention systems (IPS).“