Pierluigi Paganini June 16, 2020

Serious security vulnerabilities in the Treck TCP/IP stack dubbed Ripple20 expose millions of IoT devices worldwide to cyber attacks, researchers warn.

Hundreds of millions of devices worldwide could be vulnerable to remote attacks due to security vulnerabilities in the Treck TCP/IP stack dubbed Ripple20.

Treck TCP/IP is a high-performance TCP/IP protocol suite designed for embedded systems. Researchers at Israel-based cybersecurity company JSOF have discovered 19 critical and high-severity security flaws.

The zero-day flaws reside in a popular low-level TCP/IP software library developed by Treck, Inc. that is used in devices made by more than 100 organizations in various industries.

“The JSOF research lab has discovered a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. The 19 vulnerabilities, given the name Ripple20, affect hundreds of millions of devices (or more), and include multiple remote code execution vulnerabilities.” reads the post published by the researchers.

The experts pointed out that Ripple20 issues are the only vulnerabilities reported in Treck TCP/IP to date.

The flaws can be exploited for remote code execution, denial-of-service (DoS) attacks, and for obtaining potentially sensitive information.

A remote attacker could exploit the flaw by sending specially crafted IP packets or DNS requests to the vulnerable devices.

“Ripple20 vulnerabilities are unique both in their widespread effect and impact due to supply chain effect and being vulnerabilities allowing attackers to bypass NAT and firewalls and take control of devices undetected, with no user interaction required,” reads the JSOF’s report.

Researchers revealed that the list of affected vendors includes HP, Schneider Electric, Intel,  Rockwell Automation, Caterpillar, and Baxter.

JSOF has been working with several organizations to coordinate the disclosure of the flaws, including ICS CERT, CERTCC,  JPCERT/CC, CERT-IL, tech giant like Intel, HP,Schneider Electric have released their own advisories.

Treck released security patches to address the Ripple20 vulnerabilities, but experts pointed out that in some cases it’s not possible to install them.

“Most of the vulnerabilities are true Zero-days, with 4 of them having been closed over the years as part of routine code changes, but remained open in some of the affected devices (3 lower severity, 1 higher). Many of the vulnerabilities have several variants due to the Stack configurability and code changes over the years.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – Ripple20, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]