JSOF Research Lab has uncovered a series of 19 zero-day vulnerabilities that could impact hundreds of millions of IoT devices. Collectively named “Ripple20,” the vulnerabilities were found in a Treck TCP/IP stack that is widely embedded in enterprise and consumer-grade products including transportation systems, power grids, industrial equipment and others.
There are two aspects that make these vulnerabilities especially concerning to pharma, manufacturing, transportation and other critical infrastructure organizations:
- The impact that can be achieved through their exploitation. In fact, an attacker could gain unauthorized access to vulnerable devices executing arbitrary code remotely.
- The extreme difficulty in finding and patching all instances of the vulnerable library due to the large number of impacted products and a complex, untracked software supply chain. The vulnerable library could potentially be deployed across several products, and companies may not be aware they are using it.
I want to reassure Nozomi Networks customers that our solutions do not use the 3rd party products identified, and so are not at risk from the Ripple20 vulnerabilities. However, because these vulnerabilities are so important to the industries we serve, we are sharing our initial analysis of them.
Ripple20 Technical Analysis & Mitigation Tactics
While all 19 vulnerabilities should be addressed with appropriate patches or mitigations, there are four in particular that security teams should prioritize given their high rating on the U.S. Department of Homeland Security’s CVSSv3 vulnerability severity scale. Network administrators should also verify that the mitigations offered are suitable for each network configuration. The four vulnerabilities that should be addressed ASAP include:
CVE-2020-11896
- Description: Remote code execution triggered by an attacker that can reach the vulnerable device through an open UDP port. The vulnerability details and its exploitation strategy has been detailed extensively in publicly-available paper.
- Mitigation: Disable IP-in-IP tunneling (IP protocol number 4).
- CVSSv3: 10
CVE-2020-11897
- Description: Remote code execution triggered by an attacker that can send multiple malformed IPv6 packets to a vulnerable device.
- Mitigation: Disable IP source routing, including IPv6 source routing – Routing Header Type 0, deprecated by RFC-5095.
- CVSSv3: 10
CVE-2020-11898
- Description: An attacker can get the vulnerable device to leak heap memory, and use it to bypass exploit mitigations, such as ALSR. The vulnerability details and its exploitation strategy has been detailed extensively in a publicly-available paper.
- Mitigation: Disable IP-in-IP tunneling (IP protocol number 4).
- CVSSv3: 9.1
CVE-2020-11901
- Description: Remote code execution triggered by an attacker that can answer to a single DNS request initiated by a vulnerable device. A non-public proof of concept targeting Schneider Electric APC UPS was developed by JSOF researchers.
- Mitigation: Normalize DNS responses through DNS deep packet inspection or with a secure DNS recursion server.
- CVSSv3: 9
Ripple20 Vulnerabilities Impact & Mitigation Summary
The following table is a summary of all the vulnerabilities included in Ripple20. The technical details of some CVEs have not been documented extensively and thus are considered partial, although taking into account the associated CVSSv3 score, their security impact is likely limited. The Nozomi Networks Labs team will update this reference as more details become available.
The data presented below has been compiled from publicly-available material from JSOF and the CERT Coordination Center, with the goal of providing a cohesive overview of Ripple20. In looking at how the vulnerabilities affected different versions of the library, we can appreciate the significant efforts of all those involved in tracking and patching the discovered issues.
Although the table above proposes specific mitigations for each vulnerability, more generic strategies will definitely help limit the risk. For instance, infrastructure operators should minimize the number of embedded devices accessible to the internet as this poses an intrinsic risk. OT networks should be properly segregated and not reachable from the outside. Firewalls should be used to block ICMP, TCP, DNS, DHCP and ARP traffic originating from any unauthorized sources.
Vendors Affected by Ripple20 Vulnerabilities
While a more complete list of affected vendors and products will likely be made available as new information arises, JSOF, with the help of several national computer emergency response teams (CERT), has already reached out to the companies believed to be embedding the vulnerable library in their products. Considering that many vendors are urgently working on the updates, we recommend that concerned organizations consult with the security advisories of the products they have deployed.
At the time of writing, the following vendors are confirmed to be affected:
- B. Braun – https://www.bbraunusa.com/en/products-and-therapies/customer-communications.html
- Baxter
- Caterpillar –
- HP –
- Intel
- Maxlinear (through HLFN)
- Rockwell –https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1126896/loc/en_US#__highlight
- Sandia National Labs
- Schneider Electric/APC – https://www.se.com/ww/en/download/document/SESB-2020-168-01/
- Digi – https://www.digi.com/support/knowledge-base/digi-international-security-notice-treck-tcp-ip-st
- HCL Tech – https://www.hcltech.com/software/psirt
How to Protect Your OT/IoT Networks
Nozomi Networks Labs is currently analyzing the technical data related to Ripple20 vulnerabilities, and as more information becomes available, will extend the detection coverage available in our Threat Intelligence service.
Network operators should determine whether the network under management contains vulnerable devices. Considering the unique requirements of each configuration, operators should also consider deploying the mitigations proposed for cases where a security update is not yet available.
References:
- https://www.jsof-tech.com/ripple20
- https://kb.cert.org/vuls/id/257161
- https://www.us-cert.gov/ics/advisories/icsa-20-168-01
