Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
6/16/2020
05:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

'Ripple20' Bugs Plague Enterprise, Industrial & Medical IoT Devices

Researchers discover 19 vulnerabilities in a TCP/IP software library manufacturers have used in connected devices for 20 years.

Security researchers today disclosed 19 bugs affecting hundreds of millions of Internet of Things (IoT) devices. The "Ripple20" vulnerabilities, four of which are critical, exist in a low-level TCP/IP software library used by many manufacturers to connect their devices to the Internet via TCP/IP connections.

Researchers with Israeli cybersecurity consultancy JSOF began researching this library, built by a software company called Treck, in September 2019. It piqued the team's interest because they predicted it would be used in several types of connected devices, explains CEO and researcher Shlomi Oberman. Investigation revealed several serious flaws in all types of connected devices. 

"We found it's pretty much everywhere, in terms of the IoT space," Oberman says. "We threw a stone in the pond, and ripples keep expanding, and every day we're learning of new vendors." The flaws are not named for their count, he adds, but for their ripple effect across industries.

JSOF has been working with Treck, the Computer Emergency Response Team Coordination Center (CERT/CC), and the Cybersecurity and Infrastructure Agency (CISA) in the disclosure process. While it was difficult to engage Treck at the start, JSOF says, the company ultimately took over the process of notifying its clients and developed a patch for Ripple20 by the end of March.

Vulnerable products include industrial control devices, printers, medical devices, power grids, home products, and retail devices. Ripple20 exists in the transportation, aviation, oil and gas, and government and national security sectors. Vendors affected include one-person boutique shops to Fortune 500 corporations: HP, Schneider Electric, Intel, and Rockwell Automation. When JSOF reached out to the Department of Homeland Security (DHS), they received a list of 70 to 80 vendors potentially at risk.

"Working with the DHS, and going after the supply chain vendor by vendor, we slowly realized how big of an issue this is," Oberman explains.

Inside Ripple20: The Most Critical Flaws
The vulnerabilities range in severity from small flaws with subtle effects to bugs that could enable denial of service or information disclosure if exploited, Oberman says. Two could lead to remote code execution, allowing attackers to take over a device and do whatever they want.

One of the more severe flaws is CVE-2020-11896 (CVSSv3 score 10), a remote code execution vulnerability that can be exploited by sending malformed IPv4 packets to a device supporting IPv4 tunneling. It affects any device running Treck with a specific configuration. Another is CVE-2020-11897 (CVSSv3 score 10), which can be triggered by sending multiple malformed IPv6 packets to a device. It affects any device running an older version of Treck with IPv6 support, JSOF reports. More information on the vulnerabilities can be found in the research team's full report

An attacker would need to be on the network to exploit most of these vulnerabilities, Oberman says, but this usually isn't difficult because many IoT devices are already connected to the Internet by mistake. In some cases, a sophisticated attacker could target devices from outside the network. JSOF believes all vendors are vulnerable to at least one of the remote code execution flaws, with the exception of one vendor that made extensive changes to the code base itself.

How these vulnerabilities affect an organization depends on how the software is used. The Treck software library can be used as is, configured for a range of uses, or built into a larger library, researchers explain in a writeup of their findings. Someone could buy the library in source code format and edit it; the library could be integrated into a range of device types. A company that originally bought the library could rebrand or undergo an acquisition.

"Over time, the original library component could become virtually unrecognizable," the team writes. "This is why, long after the original vulnerability was identified and patched, vulnerabilities may still remain in the field, since tracing the supply chain trail may be practically impossible." Many affected organizations may have no idea they're vulnerable to bugs in a software library that has been making its way into connected devices for 20 years.

While patches are now available for the Ripple20 vulnerabilities, researchers are still working to identify vulnerable devices. One of the coordination organizations that JSOF worked with said it could be two years before all of the affected devices are discovered, Oberman says. 

How One Affected Vendor Responded
JSOF informed Digi International of Ripple20 in February, says information security officer Donald Schleede. The IoT technology provider soon started looking at aspects of the flaws and began the public disclosure process, which he says is typically within 90 days. However, because customer concerns and compliance standards demand 30 days' notice for any vendor, the timeline for addressing critical flaws amounts to less than 60 days.

"These products are older products," says Schleede. "It's a code base that has been out there for a while." Working with the JSOF researchers, Digi went through and addressed each of the necessary code fixes and then did a code audit to verify whether flaws were attackable or not.

Ripple20 affected lines of Digi products. One was its boxed products, which customers buy and then Digi provides the firmware. The other consists of embedded boards, which customers integrate into their products. and Digi provides the code. All were patched by late April, and organizations were notified via enterprise management system. Schleede says many customers, especially in the industrial space, don't want automatic updates because they can interfere with processes. 

When asked about the likelihood of vulnerabilities being exploited, Schleede says "it's hard to narrow this one down." The firm identified about 22 code fixes, the implications for which vary depending on how they're used. Attacks targeting the availability of data are "probably the hardest to protect against but the easiest attack." However, those affecting data confidentiality and integrity are both more dangerous and difficult to pull off. 

"If data is being stolen and you don't know where it's coming from, it's pretty critical," he adds.

The worst-case scenario vulnerabilities in Ripple20 were difficult to exploit because they require extensive knowledge about the target device. Schleede says he spent three days with engineers trying to replicate the most destructive attacks with no success. If he wanted to launch an attack to knock systems offline, he says it would be much easier.

"It's going to be different for different devices and how protections are designed," he explains. For vendors affected by Ripple20, he advises putting a strong security testing program in place.

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...