Hundreds of Millions of IoT Devices Affected by TCP/IP Security Flaws Allowing Remote Code Execution
Researchers from an Israeli-based company, JSOF, discovered a critical TCP/IP software library flaw that allows remote code execution on hundreds of millions of devices connected to the internet. The security vulnerabilities exist in a networking software library sold by an Ohio-based software firm called Treck and used in internet of things (IoT) devices. The collection of security flaws, dubbed Ripple20, affects thousands of products from various vendors, some of whom are not aware that their products use the vulnerable software library. The Israeli-researchers found 19 vulnerabilities, most of which are critical and caused a ripple effect across the IoT devices supply chain. Some of the companies affected by the vulnerabilities include Intel, HP, Caterpillar, among others.
Vendor IoT devices affected by Ripple20 security flaws
The security flaw affects hundreds of millions of devices from over 100 vendors. However, IoT devices from 11 vendors have been confirmed to be affected by Ripple20 security flaws. Devices in various categories such as printers, point of sale systems, IP cameras, networking equipment, UPS systems, ICS devices, video conferencing systems, and infusion pumps are all affected.
IoT devices affected by the security flaws include HP which uses the software library in some of its printers and the Hewlett Packard Enterprise (HPE) systems, Intel, which uses the library in the out-of-band management firmware for Intel vPro-enabled systems, Schneider Electric which uses the vulnerable library in its uninterruptible power supply (UPS) systems, Rockwell Automation, Baxter and B. Braun, Caterpillar, HCL Technologies, and Digi International.
The nature of Ripple20 security flaws
Ripple20 security flaws relate to memory corruption vulnerabilities. these vulnerabilities arise from errors in handling data packets sent over different communication protocols. The affected protocols include IPv4, ICMPv4, IPv6, IPv6OverIPv4, TCP, UDP, ARP, DHCP, DNS and the ethernet link layer.
Two vulnerabilities score 10/10 for the Common Vulnerabilities Scoring System (CVSS), with 10 being the highest score indicating critical risk. One security flaw, CVE-2020-11896, could result in remote code execution while the other, CVE-2020-11897, could cause an out-of-bounds write. Another two security flaws score 9/10 and could cause remote code execution (CVE-2020-11898) or exposure of sensitive information (CVE-2020-11899). When the four security flaws are combined, they would allow malicious actors to take over any network by compromising IoT devices connected to the internet. The combination of security flaws is an excellent target for botnets and targeted attacks.
Although some Ripple20 vulnerabilities may score lower, they still pose a major threat depending on the deployment environment. For example, although affected devices facing the risk of distributed denial of service attacks (DDoS) score lower, when used in a healthcare setting, the actual damage caused by malfunctioning or unavailability of the affected device could be critical.
The JSOF researchers said some of the security flaws only exist in the older versions of the Treck TCP/IP stack while others have been corrected through routine code rewrites. However, some of the vulnerabilities were zero-day discoveries indicating their presence even in the newer versions of the library.
IoT supply chain cybersecurity
The supply chain complexity increases the risk of Ripple20 vulnerabilities because of the lack of software bill of materials in the embedded device software development process. Consequently, many of the affected vendors are unaware that the vulnerable TCP/IP library was used by a third-party hardware component used in their products. For example, Baxter medical devices are vulnerable because they have hardware components from Digi International, which includes the Treck TCP/IP library in its hardware modules.
Similarly, the vulnerable software library has various variants including the commercial KASAGO variant which also uses the Treck TCP/IP stack.
JSOF and Forescout collaborated to develop signatures based on traffic patterns to help identify vulnerable devices. The researchers also collaborated with ICS-CERT, an agency of the US Cybersecurity and Infrastructure Security Agency (CISA), to notify the affected vendors and validate the list of IoT devices affected by the security flaw.
Security flaws affecting IoT devices are more difficult to correct because they require a firmware update for the individual vendor products. The problem is exacerbated in cases where the flawed library is used in a third-party hardware component. In cases where flawed third-party modules are used without the knowledge of the vendor, such vulnerabilities could persist indefinitely, putting countless numbers of IoT devices at risk.