Ripple20 Bugs Affecting Millions of IoT devices

According to researchers, a lightweight TCP/IP software library that manufacturers have deployed in connected devices for approximately two decades has Ripple20 vulnerabilities.

The bugs, four of which are critical, affect hundreds of millions of Internet of Things (IoT) devices. In September 2019, security researchers discovered several severe flaws in connected devices using a software library developed by Treck, a company that designs, distributes, and supports real-time embedded Internet protocols for technology providers.

The Vulnerability Disclosure Process

In accordance with an established practice, Treck had an obligation to notify clients and develop a patch for the identified bugs, despite the detrimental effect that may result, such as damage to brand and brand reputation as well as the loss of customer trust. For discernible reasons, the affected company was reluctant to engage other stakeholders at the start of the disclosure process. However, Treck later collaborated with JSOF, an Israeli cybersecurity consultancy, that discovered the flaws. Additionally, the victim banded together with the Computer Emergency Response Team Coordination Center (CERT/CC) and the Cybersecurity and Infrastructure Agency (CISA) in the discovery and disclosure procedure.

The Affected Products

Cybersecurity researchers revealed that Ripple20 bugs affected millions of IoT products, including industrial control devices, medical devices, home appliances, power grids, printers, and retail equipment. Apart from the products, the vulnerabilities exist in major industries such as aviation, transportation, and oil and gas. It also affects government and critical infrastructure like the national security sector. Ripple20 effects also span from small clothing stores to Fortune 500 enterprises, with more than 70 vendors at risk. Ripple20 is a significant problem as findings of examining the supply chain vendor by vendor reveal.

Critical Vulnerabilities in Ripple20

Ripple20 has a broad array of vulnerabilities with diverse severity levels based on the potential of confidentiality, integrity, and availability (CIA) impact of the bugs if exploited. Some of the weaknesses could potentially enable information disclosure or denial of service if exploited. Additionally, other flaws could allow remote code execution, which gives a malicious actor the ability to take control of a device remotely.

An example of one of the Ripple20 vulnerabilities is the CVE-2020-11896 that allows remote code execution related to IPv4 tunneling. Hackers can exploit the flaw, which has a CVSSv3 score 10, by sending malformed packets to endpoints supporting the IPv4 protocol stack, a fundamental networking core for connected equipment. CVE-2020-11897, on the other hand, is triggered by sending malicious packets to devices supporting the IPv6 protocol stack. Likewise, the vulnerability has a CVSSv3 score of 10.

Researchers also indicate that the attacker should be connected to the network to exploit most of the Ripple20 flaws. However, the IoT landscape that features thousands of devices connected to the Internet by mistake gives malicious attackers the ability to exploit the vulnerabilities outside the network. For endpoints that do not have a direct connection to the Internet, malicious actors would deliver payload via traditional malware delivery techniques like using an infected USB stick. On the other hand, some Ripple20 vulnerabilities are difficult to exploit because they call for in-depth knowledge about the target endpoint.

Impact of Ripple20 Bugs on an Organization

The effects of the Ripple20 flaws depend on the uses of the software. Ordinarily, companies deploy the Treck software library to create other libraries that developers edit and configure for different applications used in a range of endpoints. Some companies have modified the original library contents extensively, making it vague and ambiguous for security analysts to discover the Treck software components. The overall impact is a ripple effect of amplified flaws. 

Other vendors embed the vulnerable software library but fail to advertise all the components used to build the firmware for their devices. They do not provide such information on their websites, making it difficult for their customers to ascertain if Ripple20 affects them or not.

As a result, despite identifying and patching some of the Ripple20 vulnerabilities, other flaws remain unchaperoned due to difficulties created by a sophisticated supply chain and modifications to the source code. Indeed, many affected vendors have no idea that they are running vulnerable systems built on an insecure software library they have used for the last two decades.

Meanwhile, conventional network vulnerability scanners lack the capabilities needed to detect the new Ripple20 bugs in the software library. A convincing discovery as to whether an enterprise is running vulnerable devices, in effect, requires security analysts to conduct an in-depth exploration of complex supply chains by reaching out to contractors and vendors to determine if they deploy the affected TCP/IP library in their systems.   

Fortunately, researchers are not relenting in their search for vulnerable endpoints. However, the mammoth task involving dozens of companies, numerous levels of the supply chain, and millions of devices might run for months. 

Responding to Ripple20 Bugs

After detection, analysis, and reporting, organizations should focus on containing and neutralizing the vulnerabilities. Digi International, one of the Ripple20 victims with several vulnerable lines of products, followed this strategy by analyzing the flaw and engaging in a public disclosure activity. Subsequently, the vendor collaborated with security researchers to address 22 necessary code fixes and to examine if the defects were exploitable. The victim managed to patch all Ripple20 bugs successfully by April.

Security research remark that the challenges faced in containing these flaws involve a lack of automatic updates on the affected devices. Many vendors believe that the strategy can interfere with standard system processes. Besides, some affected IoT components are old and cannot receive patches remotely.

Ripple20 protection strategies will depend on an organization. However, all enterprises affected by the bugs require a robust security testing and containment plan. For the same reason, organizations need to work closely with vendors and suppliers to gather relevant information that aids in analyzing their potential exposure to the vulnerabilities. Simultaneously, end-users will have to update the endpoints for devices with an update option.

ISA Security team understands that Ripple20 pose dangerous and challenging to mitigate problems for IoT-equipped businesses. In effect, the dedicated incident response team at ISA helps such organizations throughout the incident response lifecycle consisting of preparation, identification, containment, eradication, recovery, and lessons learned.  ISA designs its state-of-the-art Cybersecurity Intelligence and Operations Center (CIOC) to have unparalleled physical security capabilities and multitenant cloud offering powered by an industry-leading SIEM technology. The 24*7 cybersecurity operations center and highly trained industry professionals help Ripple20 victims to respond before hackers exploit the bugs.

Contact ISA today for a demo.


Get exclusively curated cyber insights and news in your inbox

Related Posts

Contact Us Today


Get monthly proprietary, curated updates on the latest cyber news.