Ripple20 – 19 Vulnerabilities Found Within Treck TCP/IP Stack
The Treck IP network stack software is designed for and used in a variety of embedded systems. First created in the 1990’s, the software can be licensed and integrated in various ways, including compiled from source, licensed for modification and reuse or as a dynamic or static or linked library. Concerned that so many Internet-of-things devices relied on the same TCP/IP stack library, researchers at JSOF, an Israeli cyber security company, conducted a deep dive into the stack library code to look for any vulnerabilities that could be exploited by malicious actors. What they discovered was a series of zero-day vulnerabilities within the widely used software library developed by Treck. While 19 vulnerabilities were eventually found, JSOF named them “Ripple20” due to the widespread impact these vulnerabilities could have due to the massive amount of use of the affected TCP/IP stack.
The number of devices and industries that can be and are affected by Ripple20 cannot be understated as the TCP/IP stack developed by Treck is used in a multitude of vendors and fields. Affected vendors range from SOHO businesses to Fortune 500, multinational corporations the likes of HP, Schneider Electric, Intel, Rockwell Automation, and Caterpillar, just to name a few. This is due to the widespread dissemination of the software library and is a natural consequence of the supply chain “ripple-effect”: a single vulnerable component, while small in and of itself, “can ripple outward to impact a wide range of industries, applications, companies, and people.”
Ripple20 poses significant risk from the devices still in use, with potential risk scenarios including:
- An attacker from outside the network gaining full control of an internet facing device
- An attacker already within the network utilizing the library vulnerabilities to further compromise devices on the same network
- A broadcast attack capable of taking over all impacted devices in the network simultaneously
- An attacker utilizing affected devices to remain hidden on a compromised network
In all scenarios, an attacker can gain complete control over the targeted device remotely, with no user interaction required.
Depending on the context, there do exist some mitigation options. For example, device vendors would have different approaches from network operators. In general, the JSOF recommends taking the following steps:
- All organizations must perform a comprehensive risk assessment before deploying defensive measures.
- First deploy defensive measures in a passive “alert” mode.
- Mitigation for device vendors:
- Determine if you use a vulnerable Treck stack
- Contact Treck to understand risks
- Update to latest Treck stack version (6.0.1.67 or higher)
- If updates are not possible, consider disabling vulnerable features, if possible
- Mitigation for operators and networks (based on CERT/CC and CISA ICS-CERT advisories):
- The first and best mitigation is updating to patched versions of all devices.
- If devices cannot be updated, the following steps are recommended:
- Minimize network exposure for embedded and critical devices, keeping exposure to the minimum necessary, and ensuring that devices are not accessible from the Internet unless essential.
- Segregate OT networks and devices behind firewalls and isolate them from the business network.
- Enable only secure remote access methods.
- Block anomalous IP traffic.
- Block network attacks via deep packet inspection, to reduce risk to your Treck embedded TCP/IP-enabled devices.
The scope and potential impact of the 19 Ripple20 vulnerabilities is extremely large. For a complete technical analysis and study of the 19 discovered vulnerabilities, please review the full analysis and brief released by the JSOF. It can be found here.
Four of the Ripple20 vulnerabilities are rated critical, with CVSS scores over 9 and enable Remote Code Execution. One of the critical vulnerabilities is in the DNS protocol and may potentially be exploitable by an attacker over the internet, from outside network boundaries, even on devices that are not internet facing.
For a short breakdown of each vulnerability and their associated CVE IDs, as well as the affected vendors (confirmed, pending, and not affected as reported by vendor) please view the attached PDF at the end of this article, named: “Ripple20, CVE IDs and Affected Vendors.”
Sources: