Health-ISAC Vulnerability Bulletin

pdf version:

H-ISAC Vulnerability Bulletin - Ripple20 - June 19, 2020

Text version:


June 19, 2020



Ripple20 Treck TCP/IP Stack

Vulnerability Summary

Ripple20 is a host of zero-day vulnerabilities discovered in a low-level TCP/IP software library developed by a software company called Treck. The stack of vulnerabilities, discovered by Israel-based security company JSOF, affects millions of devices and includes remote code execution (RCE) vulnerabilities. The vast risks associated with this vulnerability impacts products such as smart home devices, power grid equipment, healthcare systems, printers, routers, data center devices, and many more. Ripple20 can cause data to be stolen from printers, abnormal or inconsistent infusion pump behavior, and industrial control devices to malfunction.

The large scope of impacted products is due to the consistent implementation of the software library. Issues surrounding Ripple20 are exacerbated as the vulnerable software was not only used by equipment vendors directly but also integrated into other software suites, further complicating the response as device manufactures may be unaware of the underlying code in the software libraries they use.

Identifying all the vulnerable devices is not yet done. Researchers derived the name Ripple20 as the, currently amounted, 19 vulnerabilities are expected to cause a ripple effect in the IoT landscape in 2020, and the years to come. As the search continues, researchers have only scratched the surface of discovering all the devices that have employed the vulnerable TCP/IP library. Of the 19 vulnerabilities, four (CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, and CVE2020-11899), have critical ratings of 10 and 9.8 by the US Department of Homeland Security on the CVSSv3 vulnerability severity scale.

Analysis & Action

When the four critical vulnerabilities are weaponized, attackers can take control of smart devices or any industrial or health care equipment. Attacks are possible via the internet if the devices are connected online, or from local networks if the attacker gains a foothold on an internal network. According to research, the four vulnerabilities are ideal for both botnet operators, as well as targeted attacks. Ripple20 poses significant risks to devices implementing unpatched versions of the Treck TCP/IP Stack. Once adversaries gain access to network devices, they can execute crafty malicious attacks. Potential risk scenarios include:

•   An attacker from outside the network taking control over a device within the network, if internet facing.
•   An attacker who has already managed to infiltrate a network can use the library vulnerabilities to target specific devices within it.
•   An attacker could broadcast an attack capable of taking over all impacted devices in the network simultaneously.
•   An attacker may utilize an affected device to remain hidden within the network for years
•   A sophisticated attacker can potentially perform an attack on a device within the network, from outside the network boundaries, thus bypassing NAT configurations. This can be done by performing a MITM attack or a DNS cache poisoning.
•   In some scenarios, an attacker may be able to perform attacks from outside the network by replying to packets that leave network boundaries, bypassing NAT

The impact of the Ripple20 vulnerabilities is expected to be the same as the Urgent/11 vulnerabilities. The resemblance is attributed to the impact the Urgent/11 vulnerabilities had on the TCP/IP networking stack of the VxWorks real-time operating system. This was also a product widely used in the IoT and industrial landscape.



H-ISAC recommends users apply the latest version of the affected products. The following recommended mitigations should be implemented:

•   Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. The Ripple20 security issues could provide additional justification for internal network segmentation.
•   Locate control system networks and remote devices behind firewalls and isolate them from the business network.
•   When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
•   Use an internal DNS server that performs DNS-over-HTTPS for lookups. More detailed information on the vulnerabilities and mitigating controls can be found here. Organizations are recommended to perform proper analysis and risk assessment prior to deploying defensive measures.

Translate »