Security researchers have identified a series of 19 zero-day vulnerabilities in a lightweight TCP/IP stack library used in many IoT products. The vulnerabilities dubbed Ripple20 likely impact hundreds of millions of IoT devices.
An Israel-based security research firm JSOF discovered the Ripple20 vulnerabilities in 2019.
According to new research report by JSOF, product vendors have been using the library for over 20 years in order for their devices to connect to the internet.
“Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries.,” the researchers explained.
Security experts fear that the library is not only used in vendor products, but likely in various software suites as well. This may make it more difficult to trace back vulnerable code in various software solutions.
The small TCP/IP library is developed by Treck, a software company based in Cincinnati.
The JSOF team further worked with computer emergency response teams (to include CERT/CC) in multiple countries as part of a responsible disclosure process coordination with impacted vendors.
Ripple20 vulnerabilities and patches
Treck also confirmed that patches are now available for all of the Ripple20 vulnerabilities.
Four of the Critical vulnerabilities have also been identified:
- CVE-2020-11896 (remote code execution vulnerability): Improper handling of length parameter inconsistency in IPv4/UDP component when handling a packet sent by an unauthorized network attacker.
- CVE-2020-11897 (out-of-bounds write vulnerability): Improper handling of length parameter inconsistency in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in possible out-of-bounds write.
- CVE-2020-11898 (information disclosure vulnerability): Improper handling of length parameter inconsistency in IPv4/ICMPv4 component when handling a packet sent by an unauthorized network attacker.
- CVE-2020-11899 (information disclosure vulnerability): Improper input validation in IPv6 component when handling a packet sent by an unauthorized network attacker.
Additional vulnerability details are also published in the JSOF report.
JSOF further warned that their work is only half-way done. In fact, they developed the name Ripple20 for the ripple effect these vulnerabilities will likely have on the IoT landscape this year and years to come.
Since the original research report, multiple vendors have released new security updates to address the Ripple20 vulnerabilities.
For instance, Cisco confirmed three of the Ripple20 vulnerabilities affect multiple Cisco products.
Many other vendors also confirmed products impacted by the Treck IP stack vulnerabilities to include: HP Inc., Intel, Baxter US, Schneider Electric, Digi International, Caterpillar and others.
Updated June 20, 2020: this article includes new vendor Treck IP Stack security advisories.