Cyber-security experts have revealed today 19 vulnerabilities in a small library designed in the 90s that has been widely used and integrated into countless of enterprise and consumer-grade products over the last 20+ years.
The number if impacted products is estimated at “hundreds of millions” and includes products such as smart home devices, power grid equipment, healthcare systems, industrial gear, transportation systems, printers, routers, mobile/satellite communications equipment, data center devices, commercial aircraft devices, various enterprise solutions, and many others.
Experts now fear that all products using this library will most likely remain unpatched due to complex or untracked software supply chains.
Problems arise from the fact that the library was not only used by equipment vendors directly but also integrated into other software suites, which means that many companies aren’t even aware that they’re using this particular piece of code, and the name of the vulnerable library doesn’t appear in their code manifests.
The Ripple20 vulnerabilities
The library, believed to have been first released in 1997, implements a lightweight TCP/IP stack. Companies have been using this library for decades to allow their devices or software to connect to the internet via TCP/IP connections.
Since September 2019, researchers from JSOF, a small boutique cyber consultancy firm located in Jerusalem, Israel, have been looking at Treck’s TCP/IP stack, due to its broad footprint across the industrial, healthcare, and smart device market.
Their work unearthed serious vulnerabilities, and the JSOF team has been working with CERT (computer emergency response teams) in different countries to coordinate the vulnerability disclosure and patching process.
In an interview with ZDNet last week, JSOF said this operation involved a lot of work and different steps, such as getting Treck on board, making sure Treck has patches on time, and then finding all the vulnerable equipment and reaching out to each of the impacted vendors.
Efforts have been successful, Shlomi Oberman, chief executive officer at JSOF, has told ZDNet. Oberman credited CERT/CC for playing a major role in coordinating the vulnerability disclosure process with all impacted vendors.
Treck, while reticent in the beginning and thinking it was the subject of an extortion attempt, is now fully on board, Oberman said.
In an email to ZDNet on Monday, Treck has confirmed that patches are now available for all the Ripple20 vulnerabilities.
Work on Ripple20 only halfway done
But JSOF said the work on identifying all the vulnerable devices is not yet done. The researchers said they named the 19 vulnerabilities as Ripple20 not because they were 20 vulnerabilities in the beginning, but because of the ripple effect they’ll cause in the IoT landscape in 2020, and the years to come.
Researchers say they only scratched the surface when it comes to discovering all the devices that have implemented Treck’s TCP/IP library, and that many equipment vendors will need to verify their own code going forward.
Oberman said that while not all of the Ripple20 vulnerabilities are severe, there are a few that are extremely dangerous, allowing attackers to take over vulnerable systems from a “remote” scenario.
In a security advisory that will go live today and reviewed by ZDNet under embargo, the US Department of Homeland Security has attributed ratings of 10 and 9.8 on the CVSSv3 vulnerability severity scale (scale goes from 1 to 10) to four of the Ripple 20 vulnerabilities. These are:
- CVE-2020-11896 – CVSSv3 score: 10 – Improper handling of length parameter inconsistency in IPv4/UDP component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution.
- CVE-2020-11897 – CVSSv3 score: 10 – Improper handling of length parameter inconsistency in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in possible out-of-bounds write.
- CVE-2020-11898 – CVSSv3 score: 9.8 – Improper handling of length parameter inconsistency in IPv4/ICMPv4 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in exposure of sensitive information.
- CVE-2020-11899 – CVSSv3 score: 9.8 – Improper input validation in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information.
These four vulnerabilities, when weaponized, could allow attackers to easily take over smart devices or any industrial or healthcare equipment. Attacks are possible via the internet if the devices are connected online, or from local networks if the attacker gains a foothold on an internal network (for example, via a compromised router).
These four vulnerabilities are ideal for both botnet operators, but also for targeted attacks. Testing all systems for the Ripple20 vulnerabilities and patching these four issues, in particular, should be a priority for all companies, primarily due to Treck’s large footprint across the software landscape.
The impact of the Ripple20 vulnerabilities is currently expected to be the same as the Urgent/11 vulnerabilities that were disclosed in July 2019, and which are still being investigated to this day, and new vulnerable devices are being found and patched on a regular basis. The comparison is not accidental, as the Urgent/11 vulnerabilities impacted the the TCP/IP (IPnet) networking stack of the VxWorks real-time operating system, another product widely used in the IoT and industrial landscape.
Just like in the case of Urgent/11, some products will remained unpatched, as some have gone end-of-life, or the vendors have shut down operations in the meantime.
JSOF has been invited to speak about these vulnerabilities at the Black Hat USA 2020 security conference.