Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
6/16/2020
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

'Ripple20' Bugs Plague Enterprise, Industrial & Medical IoT Devices

Researchers discover 19 vulnerabilities in a TCP/IP software library manufacturers have used in connected devices for 20 years.

Security researchers today disclosed 19 bugs affecting hundreds of millions of Internet of Things (IoT) devices. The "Ripple20" vulnerabilities, four of which are critical, exist in a low-level TCP/IP software library used by many manufacturers to connect their devices to the Internet via TCP/IP connections.

Researchers with Israeli cybersecurity consultancy JSOF began researching this library, built by a software company called Treck, in September 2019. It piqued the team's interest because they predicted it would be used in several types of connected devices, explains CEO and researcher Shlomi Oberman. Investigation revealed several serious flaws in all types of connected devices. 

"We found it's pretty much everywhere, in terms of the IoT space," Oberman says. "We threw a stone in the pond, and ripples keep expanding, and every day we're learning of new vendors." The flaws are not named for their count, he adds, but for their ripple effect across industries.

JSOF has been working with Treck, the Computer Emergency Response Team Coordination Center (CERT/CC), and the Cybersecurity and Infrastructure Agency (CISA) in the disclosure process. While it was difficult to engage Treck at the start, JSOF says, the company ultimately took over the process of notifying its clients and developed a patch for Ripple20 by the end of March.

Vulnerable products include industrial control devices, printers, medical devices, power grids, home products, and retail devices. Ripple20 exists in the transportation, aviation, oil and gas, and government and national security sectors. Vendors affected include one-person boutique shops to Fortune 500 corporations: HP, Schneider Electric, Intel, and Rockwell Automation. When JSOF reached out to the Department of Homeland Security (DHS), they received a list of 70 to 80 vendors potentially at risk.

"Working with the DHS, and going after the supply chain vendor by vendor, we slowly realized how big of an issue this is," Oberman explains.

Inside Ripple20: The Most Critical Flaws
The vulnerabilities range in severity from small flaws with subtle effects to bugs that could enable denial of service or information disclosure if exploited, Oberman says. Two could lead to remote code execution, allowing attackers to take over a device and do whatever they want.

One of the more severe flaws is CVE-2020-11896 (CVSSv3 score 10), a remote code execution vulnerability that can be exploited by sending malformed IPv4 packets to a device supporting IPv4 tunneling. It affects any device running Treck with a specific configuration. Another is CVE-2020-11897 (CVSSv3 score 10), which can be triggered by sending multiple malformed IPv6 packets to a device. It affects any device running an older version of Treck with IPv6 support, JSOF reports. More information on the vulnerabilities can be found in the research team's full report

An attacker would need to be on the network to exploit most of these vulnerabilities, Oberman says, but this usually isn't difficult because many IoT devices are already connected to the Internet by mistake. In some cases, a sophisticated attacker could target devices from outside the network. JSOF believes all vendors are vulnerable to at least one of the remote code execution flaws, with the exception of one vendor that made extensive changes to the code base itself.

How these vulnerabilities affect an organization depends on how the software is used. The Treck software library can be used as is, configured for a range of uses, or built into a larger library, researchers explain in a writeup of their findings. Someone could buy the library in source code format and edit it; the library could be integrated into a range of device types. A company that originally bought the library could rebrand or undergo an acquisition.

"Over time, the original library component could become virtually unrecognizable," the team writes. "This is why, long after the original vulnerability was identified and patched, vulnerabilities may still remain in the field, since tracing the supply chain trail may be practically impossible." Many affected organizations may have no idea they're vulnerable to bugs in a software library that has been making its way into connected devices for 20 years.

While patches are now available for the Ripple20 vulnerabilities, researchers are still working to identify vulnerable devices. One of the coordination organizations that JSOF worked with said it could be two years before all of the affected devices are discovered, Oberman says. 

How One Affected Vendor Responded
JSOF informed Digi International of Ripple20 in February, says information security officer Donald Schleede. The IoT technology provider soon started looking at aspects of the flaws and began the public disclosure process, which he says is typically within 90 days. However, because customer concerns and compliance standards demand 30 days' notice for any vendor, the timeline for addressing critical flaws amounts to less than 60 days.

"These products are older products," says Schleede. "It's a code base that has been out there for a while." Working with the JSOF researchers, Digi went through and addressed each of the necessary code fixes and then did a code audit to verify whether flaws were attackable or not.

Ripple20 affected lines of Digi products. One was its boxed products, which customers buy and then Digi provides the firmware. The other consists of embedded boards, which customers integrate into their products. and Digi provides the code. All were patched by late April, and organizations were notified via enterprise management system. Schleede says many customers, especially in the industrial space, don't want automatic updates because they can interfere with processes. 

When asked about the likelihood of vulnerabilities being exploited, Schleede says "it's hard to narrow this one down." The firm identified about 22 code fixes, the implications for which vary depending on how they're used. Attacks targeting the availability of data are "probably the hardest to protect against but the easiest attack." However, those affecting data confidentiality and integrity are both more dangerous and difficult to pull off. 

"If data is being stolen and you don't know where it's coming from, it's pretty critical," he adds.

The worst-case scenario vulnerabilities in Ripple20 were difficult to exploit because they require extensive knowledge about the target device. Schleede says he spent three days with engineers trying to replicate the most destructive attacks with no success. If he wanted to launch an attack to knock systems offline, he says it would be much easier.

"It's going to be different for different devices and how protections are designed," he explains. For vendors affected by Ripple20, he advises putting a strong security testing program in place.

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-14451
PUBLISHED: 2020-12-02
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send m...
CVE-2017-2910
PUBLISHED: 2020-12-02
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
CVE-2020-13493
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an atta...
CVE-2020-13494
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in the Pixar OpenUSD 20.05 parsing of compressed string tokens in binary USD files. A specially crafted malformed file can trigger a heap overflow which can result in out of bounds memory access which could lead to information disclosure. This vulnerability could...
CVE-2020-13496
PUBLISHED: 2020-12-02
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles parses certain encoded types. A specially crafted malformed file can trigger an arbitrary out of bounds memory access in TfToken Type Index. This vulnerability could be used to bypass mitigations and aid further exploitation....