Millions of Connected Devices Have Exploitable TCP/IP FlawsTreck Issues 'Ripple20' Fixes for 19 Flaws in Its Widely Used TCP/IP Library
Time for another internet of things update nightmare: Researchers have found that a little-known software library that's been widely used for decades - by numerous companies and in many products - has serious vulnerabilities that need immediate fixing.
This time, the flaws - dubbed "Ripple20" by researchers - involve TCP/IP code from Cincinnati-based Treck, which makes software for implementing various networking protocols. While Treck might be a low-profile company few have heard of, its code has nevertheless found its way into millions of connected devices, from medical pumps and office printers to utility grid systems and aviation components.
That's because Treck’s TCP/IP code stack - an embedded library - is known for its high performance and reliability. The code is apparently particularly well-suited for low-power IoT devices and real-time operating system usage.
On Tuesday, however, Israeli cybersecurity consultancy JSOF disclosed 19 vulnerabilities in the TCP/IP code after previously reporting the flaws to Treck, which has prepared a fix. JSOF’s findings follow another large-scale problem affecting IoT devices coming to light, in that case in the Universal Plug and Play protocol (see: UpNp Vulnerability Could Affect Billions of IoT Devices).
Information about the Ripple20 flaws has been circulating privately since last year, as researchers, vendors and security experts worked to coordinate fixes and alert relevant parties. JSOF notes that it reached out to agencies such as the CERT Coordination Center and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency once it realized how challenging it would be to identify all companies and products that utilize the vulnerable code from Treck.
Experts say numerous organizations will need to issue updates or detail workarounds to mitigate the flaws. Already, medical device manufacturer B. Braun Medical, based in Pennsylvania, issued an advisory on Friday saying only one of its products, the Outlook 400ES infusion pump, is affected by the flaws. It says it is still analyzing four patches issued by Treck but that its customers do not need to take immediate action.
JSOF says that Treck is reaching out directly to warn its clients, but it says that because of nondisclosure agreements, Treck hasn't released a list of those clients.
“The software library spreads far and wide, to the point that tracking it down has been a major challenge,” JSOF says. “As we traced through the distribution trail of Treck’s TCP/IP library, we discovered that over the past two decades this basic piece of networking software has been spreading around the world, through both direct and indirect use.”
Forescout Technologies, which worked with JSOF on disclosure, writes that more than 50 vendors may be affected, “exposing a very complex supply chain for IoT devices.”
Forescout used the internet-connected device search engine Shodan to look for potentially vulnerable devices that are exposed to the internet and could be directly compromised. It found 15,000 such devices, including printers, IP cameras, video conferencing systems, networking equipment and industrial control system devices.
The flaws pose great risks for enterprises. If an attacker exploits Ripple20 on one device, the entire business network could be at risk, says Curtis Simpson, CISO at Armis, which specializes in connected device security.
“A vulnerability in the TC/IP stack is dangerous for the low level of access that it can give attackers,” Simpon says. “By now we know that most businesses are running a huge number of connected devices in the workplace."
In an advisory issued Tuesday, U.S. CERT says that high skill levels are needed to exploit the flaws, and that there are no known public exploits targeting the vulnerabilities, at least so far.
Treck says in a statement that it has updated its TCP/IPv4/v6 software to fix the issues. JSOF notes that organizations should use Treck’s stack version 126.96.36.199 or higher.
JSOF dubbed the flaws Ripple20 to reflect how a single vulnerable component can have a ripple effect on “a wide range of industries, applications, companies, and people.” The company is due to present its findings at Black Hat 2020, which will be a virtual event.
Four of the flaws are rated critical, and two of them could be exploited to remotely take control of a device. Others require an attacker to be on the same network as the targeted device, which makes these flaws more difficult - but not impossible - to exploit.
“The risks inherent in this situation are high,” JSOF says. “Just a few examples: Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years.”
Simpson of Armis says that patching will be time consuming since administrators may have to manually update every make and model of vulnerable device.
“Patching will take a significant amount of time, which leaves a wide window open for motivated actors,” Simpson says. “Some devices can’t take patches. Some devices are so old that they've long since been end-of-lifed.”
One of the big concerns is that organizations using the affected devices will be unaware of the issues, says Katherine Robins, a partner with KPMG’s cybersecurity services in Melbourne.
“The other side of this coin are the organizations that are made aware, but don’t have the time or the appetite to patch their IoT /OT networks,” Robins says.
In a brief video, JSOF CEO Shlomi Oberman shows how an exploit for the flaws can affect an uninterruptible power supply, which is connected to a medical infusion pump, an HP OfficeJet Pro 8720 printer and a module with an operating system and processor. Oberman found the flaws with his colleague, Moshe Kol.
Their video shows the attack payload deactivating power to all of the connected devices, leading to the infusion pump issuing alarming beeps and displaying this warning: “Battery depleted. Pump will not run.”
JSOF has published a white paper describing two of the vulnerabilities. The company also plans to release a second white paper solely focused on CVE-2020-11901 - a DNS vulnerability - and describing how it can affect a Schneider Electric APC UPS device.
Experts say that devices that can be patched should be patched immediately. But if devices can’t be updated, organizations can take a series of steps to minimize their exposure.
U.S. CERT says that administrators should ensure that vulnerable systems are not accessible from the internet and that control systems should be located behind firewalls and also not linked to any business networks.
VPNs should be used for all remote access to vulnerable devices, with the caveat that VPN software may also have vulnerabilities, U.S. CERT says. Organizations should also use an internal DNS server that performs lookup using DNS-over-HTTPS, it says.
JSOF says organizations can also block anomalous IP traffic, as well as use deep packet inspection to block network attacks.
Executive Editor Mathew Schwartz contributed to this report.