Ripple20: Vulnerabilities in Treck TCP/IP Stack
I. Targeted Industries
- Energy and Transportation
- Oil and Gas
Cybersecurity experts at JSOF have discovered a set of vulnerabilities impacting millions of enterprise and consumer-grade products. A total of 19 vulnerabilities have been identified in the Treck TCP/IP library that affects millions of Internet of Things (IoT) and industrial control devices. The Treck TCP/IP library was developed in the 90s and implements a lightweight TCP/IP stack in embedded systems that have been used by multiple companies for decades. The library was not only used by equipment vendors but was also incorporated into other software suites, meaning a company wouldn’t be aware that their software is using this code as there is no indication of the library in the code manifest. These vulnerabilities have been given the name Ripple20 and they include four critical remote code-execution vulnerabilities that allow attackers to steal information or tamper with machine behavior. Due to complex and untracked software supply chains, experts fear that patches may not be available.
III. Background Information
The Ripple20 bugs contain four critical flaws which include CVE-2020-11896 (critical rating 10), CVE-2020-11897 (critical rating 10), CVE-2020-11901(critical rating 9), and CVE-2020-11898 (critical rating 9.1). Each of these includes remote code execution. These vulnerabilities allow attackers to take over any IoT device or any industrial/healthcare equipment. If properly executed, data can be taken off a printer, or an industrial IoC controlled device could be made to malfunction. Most of these vulnerabilities are perfect for botnet operators but they can also be used for targeted attacks. According to Israel-based cybersecurity company JSOF, “An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks”.
The rest of the vulnerabilities are considered true zero-days which have the capabilities of executing denial-of-service attacks (DoS) and allowing hackers to bypass Network Address Translation (NAT) and firewalls to take over devices without detection. Effective exploitation can lead to lateral movement within compromised networks and stealthy recon while hidden within infected devices. This is because the Ripple20 vulnerabilities are part of a low-level TCP/IP stack. Many of the packets sent are very similar to valid packets or sometimes completely valid packets. This allows the attack to pass as legitimate traffic. Many devices can be affected by Ripple20 because of the widespread dissemination of the TCP/IP stack. Small vulnerabilities can have a “ripple effect” to impact many industries, applications, and people. The Trek TCP/IP stack has developed patches for the vulnerabilities. However, in some cases, it’s not feasible to install the patches. Users have to take additional steps to minimize the risk of attacks.
- Keep software up to date
Keep all software up to date with the latest patches and updates to avoid past vulnerabilities.
- Minimize network exposure for embedded and critical devices
Ensure that devices are not accessible from the Internet unless they are essential to prevent unwanted intrusion.
- Isolate operational technology networks and devices
Segregate these networks and devices behind firewalls and away from any business networks.
- Filter traffic
Filter traffic coming into your network for signs of compromise
- Recommended article: https://www.jsof-tech.com/ripple20/
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Cimpanu, Catalin. “Ripple20 Vulnerabilities Will Haunt the IoT Landscape for Years to Come.” ZDNet. ZDNet, June 16, 2020. https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/.
(2) Kovacs, Eduard. “Ripple20: Flaws in Treck TCP/IP Stack Expose Millions of IoT Devices to Attacks.” SecurityWeek, June 16, 2020. https://www.securityweek.com/ripple20-flaws-treck-tcpip-stack-expose-millions-iot-devices-attacks.
(3) Seals, Tara. “’Ripple20′ Bugs Impact Hundreds of Millions of Connected Devices.” Threatpost English Global threatpostcom, 2020. https://threatpost.com/millions-connected-devices-ripple20-bugs/156599/.
(4) “Ripple20.” JSOF, June 17, 2020. https://www.jsof-tech.com/ripple20/