Cybersecurity Threat Advisory 0042-20: Ripple20 Vulnerabilities
A series of nineteen vulnerabilities dubbed “Ripple20” have been identified in a large number of devices spanning multiple vendors and industries involving a widely used low-level TCP/IP software library developed by Treck, Inc. Exploited devices risk remote code execution or exposed information.
Technical detail and additional information
What is the threat?
The security flaws identified in Treck TCP/IP stack software contains nineteen vulnerabilities including issues with memory management bugs. More information regarding each vulnerability can be found in the individually released Common Vulnerabilities and Exposures (CVE) listed on Treck’s vulnerability response information (link below). Successful exploitation of these vulnerabilities can result in data being stolen from any affected device, code modified to alter the performance or schedule of any system on a vulnerable device or give attackers an entry point within an internal network.
Why is this noteworthy?
This series of vulnerabilities is noteworthy due to the scope of affected devices across various industries including healthcare, data centers, enterprises, telecom, oil, gas, nuclear, transportation, and many others across critical infrastructure. Treck IP network stack software is designed for and used in a variety of embedded systems. Due to the large amount of potentially affected devices, unsecured devices in private networks can serve as potential entry points to a network or change the operation of a device depending on the vulnerability exploited.
What is the exposure or risk?
Successful exploitation of these vulnerabilities could allow for remote code execution or potentially sensitive information being exposed. Ripple20 has been found to be on several vendors IoT devices including HP, Intel and Caterpillar with additional vendors still assessing if any of the discovered vulnerabilities will affect their devices using the Treck TCP/IP software library. Due to the amount and variety of devices affected, not all devices may be patched immediately.
What are the recommendations?
- Update to the latest stable version of Treck IP stack software (188.8.131.52 or later). To obtain patches, email firstname.lastname@example.org. If you utilize an embedded system or other product affected by these vulnerabilities, contact your product vendor about updates and mitigations.
- Minimize exposure of control system devices and/or systems by placing them behind a firewall and ensuring they can only be accessed internally.
- If remote access to an internal device is necessary, utilize a secure service like Virtual Private Networks (VPNs). Any devices used to connect over VPN should utilize products like antivirus to maintain their security.
If you have any questions, please contact our Security Operations Center.