Ripple20 Vulnerabilities Affecting Treck IP Stacks

We are aware of multiple vulnerabilities, known as Ripple20, affecting Treck IP stack implementations for embedded systems. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.

If an attacker can manipulate the length parameter associated with an input such that it is inconsistent with the actual length of the input, this can be leveraged to cause the target application to behave in unexpected, and possibly, malicious ways. One of the possible motives for doing so is to pass in arbitrarily large input to the application. Another possible motivation is the modification of application state by including invalid data for subsequent properties of the application. Such weaknesses commonly lead to attacks such as buffer overflows and execution of arbitrary code.

Ripple20 reached critical IoT devices from a wide range of fields, involving a diverse group of vendors. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel,  Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries.

JSOF has demonstrated exploitation of these vulnerabilities on different devices as a proof-of-concept. Watch them turn off the plug on a UPS.

Ripple20 is a set of 19 vulnerabilities found on the Treck TCP/IP stack . Four of the Ripple20 vulnerabilities are rated critical, with CVSS scores over 9 and enable Remote Code Execution. One of the critical vulnerabilities is in the DNS protocol and may potentially be exploitable by a sophisticated attacker over the internet, from outside the network boundaries, even on devices that are not connected to the internet.

AFFECTED PRODUCTS

The Treck TCP/IP stack is affected including:

  • IPv4
  • IPv6
  • UDP
  • DNS
  • DHCP
  • TCP
  • ICMPv4
  • ARP

Further information at – https://www.jsof-tech.com/ripple20/

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: