Connect with us

Hi, what are you looking for?



Ripple20: Flaws in Treck TCP/IP Stack Expose Millions of IoT Devices to Attacks

Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack, Israel-based cybersecurity company JSOF warned on Tuesday.

Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack, Israel-based cybersecurity company JSOF warned on Tuesday.

Treck TCP/IP is a high-performance TCP/IP protocol suite designed specifically for embedded systems. JSOF researchers have discovered that the product is affected by a total of 19 vulnerabilities, which they collectively track as Ripple20.

The vulnerabilities rated critical and high-severity can be exploited for remote code execution, denial-of-service (DoS) attacks, and for obtaining potentially sensitive information. Exploitation involves sending specially crafted IP packets or DNS requests to the targets, and in some cases it may be possible to launch attacks directly from the internet.

“Ripple20 vulnerabilities are unique both in their widespread effect and impact due to supply chain effect and being vulnerabilities allowing attackers to bypass NAT and firewalls and take control of devices undetected, with no user interaction required,” JSOF said in a report describing Ripple20. “This is due to the vulnerabilities’ being in a low level TCP/IP stack, and the fact that for many of the vulnerabilities, the packets sent are very similar to valid packets, or, in some cases are completely valid packets. This enables the attack pass as legitimate traffic.”Ripple20 vulnerabilities

The vulnerable library has been used in devices made by more than 100 organizations, including industrial, medical, smart home, networking, enterprise, retail, energy and transportation systems.

According to JSOF, depending on what the targeted system is used for, exploitation of the vulnerabilities can allow an attacker to maintain access to a network, cause financial damage, cause disruption, or take control of devices (in the case of medical devices this can threaten an individual’s life or health).

The list of vendors that use the Treck TCP/IP stack include BAE Systems, BD, Broadcom, Cisco, Dell EMC, GE, Honeywell, HP, Intel, Lockheed Martin, NASA, NVIDIA, Philips, Rockwell Automation, Schneider Electric, and many others. However, it’s worth noting that researchers have only confirmed the presence of the vulnerabilities in the products of a handful of companies, such as B. Braun, Baxter, Caterpillar, HP, Intel, Schneider, Rockwell, and HCL Technologies.

JSOF says it has been working with several organizations to coordinate the disclosure of the vulnerabilities and patching efforts, including CERT/CC, CISA, the FDA, national CERTs, impacted vendors, and other cybersecurity companies.

Advertisement. Scroll to continue reading.

Treck has developed patches for the vulnerabilities, but in many cases it’s not easy to deploy them on impacted devices. In some cases, it’s not possible to install the patches and users will need to take steps to minimize the risk of attacks.

JSOF noted that some of the identified security holes were patched years ago by the vendor as a result of routine code changes, but many devices using the Treck library remain impacted. The researchers also pointed out that various code changes and configurations introduce several variants for some of the vulnerabilities.

Treck and some of the affected vendors are working on publishing their own advisories for the Ripple20 vulnerabilities.

UPDATE: Treck and CERT/CC have published their advisories for the Ripple20 vulnerabilities.

UPDATE June 22: Sandia National Labs has been removed from the list of affected organizations.

Related: Urgent/11 Flaws Impact More RTOS Used by Medical, Industrial Devices

Related: Antivirus Vendors Patch Bug First Discovered 10 Years Ago

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.