Cybersecurity researchers from JSOF have just published a set of 19 vulnerabilities, dubbed Ripple20 that are impacting the TCP/IP stack developed by Treck. This software stack is integrated into millions of systems used in the healthcare, transportation, manufacturing, telecoms and energy markets, potentially affecting a very large number of organizations and critical industries.
The vulnerabilities are similar to the Urgent/11 vulnerabilities published in 2019 and impacting the TCP/IP stack developed by Interpeak. Like Urgent/11, the Ripple20 vulnerabilities allow attackers to trigger remote code execution and denial of service (DoS). Many vendors such as HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter and others have already confirmed being impacted by Ripple20.
The Cisco IoT solutions designed for industrial environments are not affected by Ripple20. In fact, products like Cisco Cyber Vision and the Cisco Industrial Security Appliance ISA3000 together with Snort signatures from Cisco Talos will help identify Ripple20 vulnerabilities in your network and remediate risks. Some Cisco products are vulnerable, and you can read the official Cisco advisory here.
Treck was founded in 1997 and develops protocol stacks for real-time embedded systems. It is used by many equipment vendors as this software offers optimized performance for IoT devices that typically have limited memory or processing power for instance. It is sold in the form of a source code making it easy for vendors to integrate only the desired protocol layers and modify them for specific applications.
As a result, depending on how manufacturers have specialized and integrated these libraries, they can become virtually unidentifiable. In addition, as manufacturers have been acquired, some might have lost track of this software component, making it quite difficult – if not impossible – to identify affected products.
Another important fact is the past collaboration between Treck and the Japanese company Elmic System (today Zuken Elmic). This collaboration resulted in two similar TCP/IP stacks maintained independently by each publisher and sold in different regions, one in the US market and one in Asian markets. Several Ripple20 vulnerabilities also impact the TCP/IP stack maintained by Zuken Elmic.
Ripple20 consists of a series of 19 vulnerabilities. Four of them are critical with scores over 9 in the CVSS severity scale. These should be addressed quickly as they can be exploited for arbitrary remote code execution, denial of service attacks and information disclosure.
CVE-2020-11901 is probably the most severe vulnerability. It can be triggered by answering a DNS request from the device and may result in remote code execution. Because DNS requests generally leave the network, they can be easily intercepted to give an attacker a way in. Furthermore, the packet sent to exploit this vulnerability will be compliant with various RFCs, making it difficult for a firewall to detect the attack.
This is just an example. The full list of Ripple20 vulnerabilities and their descriptions can be found on the JSOF web site here.
JSOF estimates that several billion devices could be impacted by the Ripple20 vulnerabilities as many vendors have integrated all or parts of the Treck TCP/IP protocol stack in the systems they develop. A list of impacted vendors has been established by the CISA ICS-CERT and can be found here.
While details and the list of affected vendors continue to emerge, there are some steps that can be taken to help identify and protect against these vulnerabilities.
As vendors are publishing security advisories to identify which of their products are impacted, Cisco will continue to update the Cyber Vision knowledge base so it can spot your affected assets. Cisco Cyber Vision is a solution specifically designed to detect attacks against IoT/OT devices. It automatically uncovers the smallest details of your industrial networks and builds a comprehensive asset inventory highlighting known vulnerabilities, such as Ripple20.
The Cyber Vision knowledge base is frequently updated and is available for free to all Cyber Vision customers. If you have not done so already, we recommend you install the latest version today by downloading it here.
Due to the nature of the Ripple20 vulnerabilities, and the types of devices impacted, you might not be able to patch vulnerable assets – or you might never know that some assets are vulnerable. To keep you protected, there are some alternative measures that can be taken.
In the short term, you can leverage your intrusion detection systems (IDS) to detect and alert attempts to exploit these vulnerabilities. Cisco Cyber Vision can be configured with the SNORT IDS engine, leveraging rules developed by Cisco Talos. The Cisco Industrial Security Appliance ISA3000 offers the same IDS, plus the ability to block these behaviors and much more, all in a ruggedized form factor that can be deployed right alongside the industrial devices that it is protecting.
The ISA3000 is also ideally suited to segment your industrial networks and isolate assets that don’t need to talk to each other. This will ensure a potential attack can be constrained and doesn’t spread to the entire network.
JSOF has provided many other remediation recommendations that you can also implement with the ISA3000. These include the ability to block IP fragments, block IP in IP tunneling, reject malformed TCP packets, block unused ICMP messages, restrict DHCP traffic and restrict unexpected and not required communications and protocols in the environment.