A set of 19 vulnerabilities have been identified in the TCP/IP software library developed by Cincinnati-based Treck Inc., a developer of real-time embedded internet protocols for technology firms. The vulnerabilities were discovered by the Israeli cybersecurity firm JSOF and have been named Ripple20.
Treck is a fairly low-profile company that develops low-level internet protocols, which are incorporated into a wide range of devices. A vulnerability in Treck’s TCP/IPv4/v6 stack therefore has major implications, hence the name Ripple20. The vulnerabilities have a ripple effect through the supply chain and affects hundreds of millions of products.
JSOF investigated the Treck TCP/IP stack and found flaws that could be exploited remotely by attackers with no user interaction required. Some of the flaws could be exploited silently, bypassing security solutions, and allowing remote code execution.
“Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years,” explained the JSOF researchers.
An attacker could remotely take control of a vulnerable internet-enabled device, attack non-internet-facing devices from inside a compromised network, and could broadcast an attack and take over all vulnerable devices simultaneously. An attacker could also bypass NAT configurations and firewalls and could be exploited undetected.
Four of the vulnerabilities have been rated critical. CVE-2020-11896 and CVE-2020-11897 have both been assigned a CVSS v3 base score of 10 out of 10 and both allow stable remote code execution and can be exploited by sending multiple malformed IPv4 (CVE-2020-11896 ) and IPv6 (CVE-2020-11897) packets to a vulnerable device. Since these packets are very similar to genuine packets, an attack would be difficult to identify.
CVE-2020-11901 has been given a CVSS v3 base score of 9, but the JSOF researchers believe this flaw could be more severe. “In our opinion this is the most severe of the vulnerabilities despite having a CVSS score of 9.0, due to the fact that DNS requests may leave the network in which the device is located, and a sophisticated attacker may be able to use this vulnerability to take over a device from outside the network through DNS cache poisoning, or other methods. Thus, an attacker can infiltrate the network and take over the device with one vulnerability bypassing any security measures. “
CVE-2020-11898 has a CVSS v3 base score of 9.1 and could result in the disclosure of sensitive information. The remaining 15 vulnerabilities range in severity from 3.1 to 8.2.
Companies confirmed to have products vulnerable to the flaws include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, B. Braun, and Quadros. There are many other companies that may also be affected. Those companies have been contacted and are currently assessing their products to determine whether they are affected. It is probable that around 50 companies may have to take steps to update their products to fix the vulnerabilities.
JSOF identified the vulnerabilities in 2019 and notified Treck. Treck has now released a new TCP/IP stack version that fixes all of the 19 flaws. Device manufacturers should ensure that they are using TCP/IP stack version 220.127.116.11 or higher.
JSOF’s investigation revealed Treck’s TCP/IPv4/v6 stack is used in industrial control systems, power grids, medical devices, IoT devices, home devices, networking devices, enterprise devices, and those devices are used in the government & national security, retail, transportation, oil and gas, and aviation industries.
An example of how one of the flaws can be easily exploited is demonstrated in the video below. In this attack, JSOF CEO, Shlomi Oberman, exploits a vulnerability to attack a UPS to which several devices are connected.