An obscure TCP/IP stack that is embedded in millions of medical, ICS, networking, and retail devices around the world contains nearly 20 vulnerabilities, some of which can allow remote code execution and give an attacker complete control over the target device.
The flaws, known collectively as Ripple20, are in a stack provided by Treck, which builds software libraries for embedded systems, and they run the gamut from improper input validation and access control to an integer overflow. Researchers at JSOF, a small Israeli security research firm, discovered the vulnerabilities last fall and began looking into where the Treck stack was used and soon discovered it was deployed in a long list of devices. Among the vendors with affected products are HP Enterprise, Intel, Schneider Electric, Caterpillar, and Rockwell Automation, and because the TCP/IP stack is designed specifically for embedded systems, many of the affected devices may be quite difficult to update.
“The software library spread far and wide, to the point that tracking it down has been a major challenge. As we traced through the distribution trail of Treck’s TCP/IP library, we discovered that over the past two decades this basic piece of networking software has been spreading around the world, through both direct and indirect use. As a dissemination vector, the complex supply chain provides the perfect channel, making it possible for the original vulnerability to infiltrate and camouflage itself almost endlessly,” the JSOF advisory says.
“The interesting thing about Ripple20 is the incredible extent of its impact, magnified by the supply chain factor. The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain ‘ripple-effect’. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people.”
"The impact of these vulnerabilities will vary due to the combination of build and runtime options used while developing different embedded systems."
For enterprises, the main risk from these vulnerabilities comes from network devices such as printers and servers running firmware or software versions that contain the vulnerable library. Several models of HP and Samsung printers are affected, as are some Intel servers. The broader effect, however, will be felt by the manufacturers of ICS gear, PoS systems, medical devices, and transportation systems that are vulnerable. Treck has provided an updated version of the TCP/IP stack and many of the affected vendors have released fixes too, but updating some of those products and systems may not be a simple process. ICS and medical devices, specifically, operate in highly controlled environments and taking them offline for updates requires significant planning.
Because of the broad reach of the vulnerabilities and the library itself, the JSOF researchers coordinated their disclosure with CERT organizations in several countries, including Israel, Japan, and the United States, as well as the Cybersecurity and Infrastructure Security Agency (CISA).
“The impact of these vulnerabilities will vary due to the combination of build and runtime options used while developing different embedded systems. This diversity of implementations and the lack of supply chain visibility has exasperated the problem of accurately assessing the impact of these vulnerabilities. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause a denial of service, disclose information, or execute arbitrary code,” the advisory from the CERT/CC at Carnegie Mellon University says.
“Treck IP network stack software is designed for and used in a variety of embedded systems. The software can be licensed and integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked library. Treck IP software contains multiple vulnerabilities, most of which are caused by memory management bugs.”