Security Experts:

Ripple20: Flaws in Treck TCP/IP Stack Expose Millions of IoT Devices to Attacks

Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack, Israel-based cybersecurity company JSOF warned on Tuesday.

Treck TCP/IP is a high-performance TCP/IP protocol suite designed specifically for embedded systems. JSOF researchers have discovered that the product is affected by a total of 19 vulnerabilities, which they collectively track as Ripple20.

The vulnerabilities rated critical and high-severity can be exploited for remote code execution, denial-of-service (DoS) attacks, and for obtaining potentially sensitive information. Exploitation involves sending specially crafted IP packets or DNS requests to the targets, and in some cases it may be possible to launch attacks directly from the internet.

“Ripple20 vulnerabilities are unique both in their widespread effect and impact due to supply chain effect and being vulnerabilities allowing attackers to bypass NAT and firewalls and take control of devices undetected, with no user interaction required,” JSOF said in a report describing Ripple20. “This is due to the vulnerabilities’ being in a low level TCP/IP stack, and the fact that for many of the vulnerabilities, the packets sent are very similar to valid packets, or, in some cases are completely valid packets. This enables the attack pass as legitimate traffic.”Ripple20 vulnerabilities

The vulnerable library has been used in devices made by more than 100 organizations, including industrial, medical, smart home, networking, enterprise, retail, energy and transportation systems.

According to JSOF, depending on what the targeted system is used for, exploitation of the vulnerabilities can allow an attacker to maintain access to a network, cause financial damage, cause disruption, or take control of devices (in the case of medical devices this can threaten an individual’s life or health).

The list of vendors that use the Treck TCP/IP stack include BAE Systems, BD, Broadcom, Cisco, Dell EMC, GE, Honeywell, HP, Intel, Lockheed Martin, NASA, NVIDIA, Philips, Rockwell Automation, Schneider Electric, and many others. However, it’s worth noting that researchers have only confirmed the presence of the vulnerabilities in the products of a handful of companies, such as B. Braun, Baxter, Caterpillar, HP, Intel, Schneider, Rockwell, and HCL Technologies.

JSOF says it has been working with several organizations to coordinate the disclosure of the vulnerabilities and patching efforts, including CERT/CC, CISA, the FDA, national CERTs, impacted vendors, and other cybersecurity companies.

Treck has developed patches for the vulnerabilities, but in many cases it’s not easy to deploy them on impacted devices. In some cases, it’s not possible to install the patches and users will need to take steps to minimize the risk of attacks.

JSOF noted that some of the identified security holes were patched years ago by the vendor as a result of routine code changes, but many devices using the Treck library remain impacted. The researchers also pointed out that various code changes and configurations introduce several variants for some of the vulnerabilities.

Treck and some of the affected vendors are working on publishing their own advisories for the Ripple20 vulnerabilities.

UPDATE: Treck and CERT/CC have published their advisories for the Ripple20 vulnerabilities.

UPDATE June 22: Sandia National Labs has been removed from the list of affected organizations.

Related: Urgent/11 Flaws Impact More RTOS Used by Medical, Industrial Devices

Related: Antivirus Vendors Patch Bug First Discovered 10 Years Ago

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.