Devices from the fields of energy, transport and communication are also affected by the errors in the TCP / IP software library
Hundreds of millions of connected devices can be vulnerable to remote attacks due to a series of 19 vulnerabilities in a popular TCP / IP software library developed by a software company called Treck. According to Israel-based security company JSOF, which discovered the vulnerabilities, the bugs, collectively known as Ripple20, affect IoT devices manufactured by specialized boutique vendors and several Fortune 500 companies.
Products at risk include smart home devices, industrial control systems, medical systems and health systems, as well as devices that are used in important parts of the infrastructure such as energy, transport, communication, as well as in the state and national security sector.
JSOF highlighted some possible high-risk scenarios that could arise if these shortcomings were armed:
“Data could be stolen from a printer, the behavior of an infusion pump could be changed, or industrial control units could malfunction. An attacker could hide malicious code in embedded devices for years. One of the security gaps could allow outside access to the network boundaries. “They said before adding that this is just one example of the damage that can be done.
A major challenge for the researchers was to track the distribution path of Treck's TCP / IP library. They found that over the past 20 years it had found its way into countless devices that are sold all over the world. They even discovered various branches of the library due to Treck's joint project with a Japanese company in the 1990s, which Treck later parted with.
According to a security recommendation by the Department of Homeland Security's Cybersecurity and Infrastructure and Security Agency (CISA), four vulnerabilities are classified as critical and receive a base rating of over 9 on the CVSSv3 vulnerability scale (the scale rates from 1 to 10).
Two shortcomings – CVE-2020-11896 and CVE-2020-11897 – achieved a "perfect" severity of 10, which underlines the severity of the problem. The former can lead to remote code execution, while the latter can lead to an out-of-bound write. Two other vulnerabilities have been classified as critical: CVE-2020-11898 could leak information and CVE-2020-11901 could allow remote code to run through a single invalid DNS response.
RELATED READING: What Happens When the Global Supply Chain Breaks?
Four gaps – one high and three low severity – have been closed over the years due to routine code changes, but remained open on some affected devices, while many others have multiple variations due to the configurability and changes to the TCP / IP stack.
However, Ripple20 still poses a significant risk to devices that are still in use. "In all scenarios, an attacker could take complete control of the target device remotely without requiring user interaction," said JSOF.
To minimize the risks, JSOF has a number of recommendations, including a comprehensive risk assessment, before taking any countermeasures. Computer Emergency Response Teams (CERT) such as Carnegie Mellon's CERT Coordination Center, JPCERT / CC and CERT IL have also published information on how to deal with risks from Ripple20. If patches have been released, you should apply them now.
Amer Owaida June 17, 2020 – 9:00 p.m.