Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
6/16/2020
05:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

'Ripple20' Bugs Plague Enterprise, Industrial & Medical IoT Devices

Researchers discover 19 vulnerabilities in a TCP/IP software library manufacturers have used in connected devices for 20 years.

Security researchers today disclosed 19 bugs affecting hundreds of millions of Internet of Things (IoT) devices. The "Ripple20" vulnerabilities, four of which are critical, exist in a low-level TCP/IP software library used by many manufacturers to connect their devices to the Internet via TCP/IP connections.

Researchers with Israeli cybersecurity consultancy JSOF began researching this library, built by a software company called Treck, in September 2019. It piqued the team's interest because they predicted it would be used in several types of connected devices, explains CEO and researcher Shlomi Oberman. Investigation revealed several serious flaws in all types of connected devices. 

"We found it's pretty much everywhere, in terms of the IoT space," Oberman says. "We threw a stone in the pond, and ripples keep expanding, and every day we're learning of new vendors." The flaws are not named for their count, he adds, but for their ripple effect across industries.

JSOF has been working with Treck, the Computer Emergency Response Team Coordination Center (CERT/CC), and the Cybersecurity and Infrastructure Agency (CISA) in the disclosure process. While it was difficult to engage Treck at the start, JSOF says, the company ultimately took over the process of notifying its clients and developed a patch for Ripple20 by the end of March.

Vulnerable products include industrial control devices, printers, medical devices, power grids, home products, and retail devices. Ripple20 exists in the transportation, aviation, oil and gas, and government and national security sectors. Vendors affected include one-person boutique shops to Fortune 500 corporations: HP, Schneider Electric, Intel, and Rockwell Automation. When JSOF reached out to the Department of Homeland Security (DHS), they received a list of 70 to 80 vendors potentially at risk.

"Working with the DHS, and going after the supply chain vendor by vendor, we slowly realized how big of an issue this is," Oberman explains.

Inside Ripple20: The Most Critical Flaws
The vulnerabilities range in severity from small flaws with subtle effects to bugs that could enable denial of service or information disclosure if exploited, Oberman says. Two could lead to remote code execution, allowing attackers to take over a device and do whatever they want.

One of the more severe flaws is CVE-2020-11896 (CVSSv3 score 10), a remote code execution vulnerability that can be exploited by sending malformed IPv4 packets to a device supporting IPv4 tunneling. It affects any device running Treck with a specific configuration. Another is CVE-2020-11897 (CVSSv3 score 10), which can be triggered by sending multiple malformed IPv6 packets to a device. It affects any device running an older version of Treck with IPv6 support, JSOF reports. More information on the vulnerabilities can be found in the research team's full report

An attacker would need to be on the network to exploit most of these vulnerabilities, Oberman says, but this usually isn't difficult because many IoT devices are already connected to the Internet by mistake. In some cases, a sophisticated attacker could target devices from outside the network. JSOF believes all vendors are vulnerable to at least one of the remote code execution flaws, with the exception of one vendor that made extensive changes to the code base itself.

How these vulnerabilities affect an organization depends on how the software is used. The Treck software library can be used as is, configured for a range of uses, or built into a larger library, researchers explain in a writeup of their findings. Someone could buy the library in source code format and edit it; the library could be integrated into a range of device types. A company that originally bought the library could rebrand or undergo an acquisition.

"Over time, the original library component could become virtually unrecognizable," the team writes. "This is why, long after the original vulnerability was identified and patched, vulnerabilities may still remain in the field, since tracing the supply chain trail may be practically impossible." Many affected organizations may have no idea they're vulnerable to bugs in a software library that has been making its way into connected devices for 20 years.

While patches are now available for the Ripple20 vulnerabilities, researchers are still working to identify vulnerable devices. One of the coordination organizations that JSOF worked with said it could be two years before all of the affected devices are discovered, Oberman says. 

How One Affected Vendor Responded
JSOF informed Digi International of Ripple20 in February, says information security officer Donald Schleede. The IoT technology provider soon started looking at aspects of the flaws and began the public disclosure process, which he says is typically within 90 days. However, because customer concerns and compliance standards demand 30 days' notice for any vendor, the timeline for addressing critical flaws amounts to less than 60 days.

"These products are older products," says Schleede. "It's a code base that has been out there for a while." Working with the JSOF researchers, Digi went through and addressed each of the necessary code fixes and then did a code audit to verify whether flaws were attackable or not.

Ripple20 affected lines of Digi products. One was its boxed products, which customers buy and then Digi provides the firmware. The other consists of embedded boards, which customers integrate into their products. and Digi provides the code. All were patched by late April, and organizations were notified via enterprise management system. Schleede says many customers, especially in the industrial space, don't want automatic updates because they can interfere with processes. 

When asked about the likelihood of vulnerabilities being exploited, Schleede says "it's hard to narrow this one down." The firm identified about 22 code fixes, the implications for which vary depending on how they're used. Attacks targeting the availability of data are "probably the hardest to protect against but the easiest attack." However, those affecting data confidentiality and integrity are both more dangerous and difficult to pull off. 

"If data is being stolen and you don't know where it's coming from, it's pretty critical," he adds.

The worst-case scenario vulnerabilities in Ripple20 were difficult to exploit because they require extensive knowledge about the target device. Schleede says he spent three days with engineers trying to replicate the most destructive attacks with no success. If he wanted to launch an attack to knock systems offline, he says it would be much easier.

"It's going to be different for different devices and how protections are designed," he explains. For vendors affected by Ripple20, he advises putting a strong security testing program in place.

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.