Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
6/16/2020
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

'Ripple20' Bugs Plague Enterprise, Industrial & Medical IoT Devices

Researchers discover 19 vulnerabilities in a TCP/IP software library manufacturers have used in connected devices for 20 years.

Security researchers today disclosed 19 bugs affecting hundreds of millions of Internet of Things (IoT) devices. The "Ripple20" vulnerabilities, four of which are critical, exist in a low-level TCP/IP software library used by many manufacturers to connect their devices to the Internet via TCP/IP connections.

Researchers with Israeli cybersecurity consultancy JSOF began researching this library, built by a software company called Treck, in September 2019. It piqued the team's interest because they predicted it would be used in several types of connected devices, explains CEO and researcher Shlomi Oberman. Investigation revealed several serious flaws in all types of connected devices. 

"We found it's pretty much everywhere, in terms of the IoT space," Oberman says. "We threw a stone in the pond, and ripples keep expanding, and every day we're learning of new vendors." The flaws are not named for their count, he adds, but for their ripple effect across industries.

JSOF has been working with Treck, the Computer Emergency Response Team Coordination Center (CERT/CC), and the Cybersecurity and Infrastructure Agency (CISA) in the disclosure process. While it was difficult to engage Treck at the start, JSOF says, the company ultimately took over the process of notifying its clients and developed a patch for Ripple20 by the end of March.

Vulnerable products include industrial control devices, printers, medical devices, power grids, home products, and retail devices. Ripple20 exists in the transportation, aviation, oil and gas, and government and national security sectors. Vendors affected include one-person boutique shops to Fortune 500 corporations: HP, Schneider Electric, Intel, and Rockwell Automation. When JSOF reached out to the Department of Homeland Security (DHS), they received a list of 70 to 80 vendors potentially at risk.

"Working with the DHS, and going after the supply chain vendor by vendor, we slowly realized how big of an issue this is," Oberman explains.

Inside Ripple20: The Most Critical Flaws
The vulnerabilities range in severity from small flaws with subtle effects to bugs that could enable denial of service or information disclosure if exploited, Oberman says. Two could lead to remote code execution, allowing attackers to take over a device and do whatever they want.

One of the more severe flaws is CVE-2020-11896 (CVSSv3 score 10), a remote code execution vulnerability that can be exploited by sending malformed IPv4 packets to a device supporting IPv4 tunneling. It affects any device running Treck with a specific configuration. Another is CVE-2020-11897 (CVSSv3 score 10), which can be triggered by sending multiple malformed IPv6 packets to a device. It affects any device running an older version of Treck with IPv6 support, JSOF reports. More information on the vulnerabilities can be found in the research team's full report

An attacker would need to be on the network to exploit most of these vulnerabilities, Oberman says, but this usually isn't difficult because many IoT devices are already connected to the Internet by mistake. In some cases, a sophisticated attacker could target devices from outside the network. JSOF believes all vendors are vulnerable to at least one of the remote code execution flaws, with the exception of one vendor that made extensive changes to the code base itself.

How these vulnerabilities affect an organization depends on how the software is used. The Treck software library can be used as is, configured for a range of uses, or built into a larger library, researchers explain in a writeup of their findings. Someone could buy the library in source code format and edit it; the library could be integrated into a range of device types. A company that originally bought the library could rebrand or undergo an acquisition.

"Over time, the original library component could become virtually unrecognizable," the team writes. "This is why, long after the original vulnerability was identified and patched, vulnerabilities may still remain in the field, since tracing the supply chain trail may be practically impossible." Many affected organizations may have no idea they're vulnerable to bugs in a software library that has been making its way into connected devices for 20 years.

While patches are now available for the Ripple20 vulnerabilities, researchers are still working to identify vulnerable devices. One of the coordination organizations that JSOF worked with said it could be two years before all of the affected devices are discovered, Oberman says. 

How One Affected Vendor Responded
JSOF informed Digi International of Ripple20 in February, says information security officer Donald Schleede. The IoT technology provider soon started looking at aspects of the flaws and began the public disclosure process, which he says is typically within 90 days. However, because customer concerns and compliance standards demand 30 days' notice for any vendor, the timeline for addressing critical flaws amounts to less than 60 days.

"These products are older products," says Schleede. "It's a code base that has been out there for a while." Working with the JSOF researchers, Digi went through and addressed each of the necessary code fixes and then did a code audit to verify whether flaws were attackable or not.

Ripple20 affected lines of Digi products. One was its boxed products, which customers buy and then Digi provides the firmware. The other consists of embedded boards, which customers integrate into their products. and Digi provides the code. All were patched by late April, and organizations were notified via enterprise management system. Schleede says many customers, especially in the industrial space, don't want automatic updates because they can interfere with processes. 

When asked about the likelihood of vulnerabilities being exploited, Schleede says "it's hard to narrow this one down." The firm identified about 22 code fixes, the implications for which vary depending on how they're used. Attacks targeting the availability of data are "probably the hardest to protect against but the easiest attack." However, those affecting data confidentiality and integrity are both more dangerous and difficult to pull off. 

"If data is being stolen and you don't know where it's coming from, it's pretty critical," he adds.

The worst-case scenario vulnerabilities in Ripple20 were difficult to exploit because they require extensive knowledge about the target device. Schleede says he spent three days with engineers trying to replicate the most destructive attacks with no success. If he wanted to launch an attack to knock systems offline, he says it would be much easier.

"It's going to be different for different devices and how protections are designed," he explains. For vendors affected by Ripple20, he advises putting a strong security testing program in place.

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...