An Israeli security company, JSOF, found 19 critical vulnerabilities in a widely used Transmission Control Protocol/Internet Protocol (TCP/IP) software library developed by an Ohio-based Treck Inc. and named them collectively as Ripple20. Treck is a software solutions provider for IoT devices used across industries and critical infrastructures like power grids, healthcare, automotive, etc. Thus, not fixing these vulnerabilities at the earliest would have been detrimental to the security of these critical infrastructures.
Know what are the Ripple20 Vulnerabilities
Out of the 19 vulnerabilities of Ripple20, four vulnerabilities are rated very critical, with CVSS scores over 9. These vulnerabilities found in the Treck TCP/IP software enable potential threat actors to carry out Remote Code Execution. One of the critical vulnerabilities, recorded under CVE-2020-11901, is in the DNS protocol. If exploited, it would potentially allow threat actors to gain control over devices from outside into the victim’s network perimeter, and even on devices that are not connected to the internet.
The other 15 vulnerabilities have a CVSS score ranging between 3.1 and 8.2, and potential effects ranging from Denial of Service to Remote Code Execution.
As per JSOF’s findings, four of these of Ripple20 vulnerabilities have been closed over the years as part of routine code changes. However, they also noted that it remained open in certain affected devices.
The researchers said, “Ripple20 vulnerabilities are unique both in their widespread effect and impact due to supply chain effect. These vulnerabilities allow attackers to bypass NAT and firewalls and take control of devices undetected, with no user interaction required. This is due to the vulnerabilities being in a low level TCP/IP stack, and the fact that for many of the vulnerabilities, the packets sent are very similar to valid packets, or, in some cases are completely valid packets. This enables the attack to pass as legitimate traffic.”
Here’s a detailed description of the Ripple20’s four most critical vulnerabilities:
Fixed on Version
|CVE-2020-11896||10||This vulnerability can be triggered by sending multiple malformed IPv4 packets to a device supporting IPv4 tunneling. It affects any device running Treck with a specific configuration and allows a stable remote code execution.||Remote Code Execution||184.108.40.206
|CVE-2020-11897||10||This vulnerability can be triggered by sending multiple malformed IPv6 packets to a device. It affects any device running an older version of Treck with IPv6 support, and was previously fixed as a routine code change. It can potentially allow a stable remote code execution.||Out-of-Bounds Write||220.127.116.11
|CVE-2020-11901||9||This vulnerability can be triggered by answering a single DNS request made from the device. It affects any device running Treck with DNS support and can be used to perform Remote Code Execution. This is the most severe of the vulnerabilities despite having a CVSS score of 9.0, due to the fact that DNS requests may leave the network in which the device is located, and a sophisticated attacker may be able to use this vulnerability to take over a device from outside the network through DNS cache poisoning, or other methods.||Remote Code Execution||18.104.22.168
JSOF reported these issues to Treck who have in return replied positively and collaborated with JSOF researchers in getting the issues fixed. Treck’s affected clients like Intel, HP, Schneider Electric, Caterpillar, B.Braun, Green Hills, Rockwell Automation, etc. and international bodies like ICS CERT, CERTCC, JPCERT/CC, CERT-IL have all acknowledged these critical vulnerabilities and issued respective advisories.