The Department of Homeland Security and CISA ICS-CERT today issued a critical security advisory warning about over a dozen newly discovered vulnerabilities affecting billions of Internet-connected devices manufactured by many vendors across the globe.
Dubbed “Ripple20,” the set of 19 vulnerabilities resides in a low-level TCP/IP software library developed by Treck, which, if weaponized, could let remote attackers gain complete control over targeted devices—without requiring any user interaction.
According to Israeli cybersecurity company JSOF—who discovered these flaws—the affected devices are in use across various industries, ranging from home/consumer devices to medical, healthcare, data centers, enterprises, telecom, oil, gas, nuclear, transportation, and many others across critical infrastructure.
“Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years,” the researchers said in a report shared with The Hacker News.
“One of the vulnerabilities could enable entry from outside into the network boundaries; this is only a small taste of the potential risks.”
There are four critical vulnerabilities in Treck TCP/IP stack, with CVSS scores over 9, which could let attackers execute arbitrary code on targeted devices remotely, and one critical bug affects the DNS protocol.
“The other 15 vulnerabilities are in ranging degrees of severity with CVSS score ranging from 3.1 to 8.2, and effects ranging from Denial of Service to potential Remote Code Execution,” the report says.
Some Ripple20 flaws were patched by Treck or device manufacturers over the years due to code changes and Stack configurability, and for the same reason, many of the flaws also have several variants that apparently would not be patched anytime soon until vendors perform a comprehensive risk assessment.
- CVE-2020-11896 (CVSS v3 base score 10.0): Improper handling of length parameter inconsistency in IPv4/UDP component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution.
- CVE-2020-11897 (CVSS v3 base score 10.0): Improper handling of length parameter inconsistency in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in possible out-of-bounds write.
- CVE-2020-11898 (CVSS v3 base score 9.8): Improper handling of length parameter inconsistency in IPv4/ICMPv4 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in the exposure of sensitive information.
- CVE-2020-11899 (CVSS v3 base score 9.8): Improper input validation in the IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information.
- CVE-2020-11900 (CVSS v3 base score of 9.3): Possible double free in IPv4 tunneling component when handling a packet sent by a network attacker. This vulnerability may result in remote code execution.
- CVE-2020-11901 (CVSS v3 base score 9.0): Improper input validation in the DNS resolver component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution.
You can find details for the rest of the vulnerabilities in an advisory released by the U.S. government.
Cybersecurity researchers at JSOF responsibly reported their findings to Treck company, who then patched most of the flaws with the release of TCP/IP stack version 6.0.1.67 or higher.
Researchers also contacted affected semiconductors and device manufacturing vendors, including—HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, and Quadros—many of which have already acknowledged the flaw and rest are still taking an assessment of their products before going public.
“The disclosure was postponed twice after requests for more time came from some of the participating vendors, with some of the vendors voicing COVID-19-related delays. Out of consideration for these companies, the time period was extended from 90 to over 120 days. Even so, some of the participating companies became difficult to deal with, as they made extra demands, and some, from our perspective, seemed much more concerned with their brand’s image than with patching on the vulnerabilities,” the researchers said.
Since millions of devices would not receive security patch updates to address Ripple20 vulnerabilities anytime soon, researchers and ICS-CERT have recommended consumers and organization to:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
Besides this, it’s also advised to use virtual private networks for securely connecting your devices to Cloud-based services over the Internet.
In its advisory, CISA has also asked affected organizations to perform proper impact analysis and risk assessment before deploying defensive measures.