Ripple20 vulnerabilities will haunt the IoT landscape for years to come

Ripple20 vulnerabilities will haunt the IoT landscape for years to come Cybersecurity

Cybersecurity experts yesterday exposed 19 vulnerabilities in a small library designed in the 1990s that has been widely used and integrated into countless consumer and professional connected objects over the past 20 years.

The number of products affected is estimated at “hundreds of millions” and includes products such as smart home appliances, electrical network equipment, health systems, industrial equipment, transportation systems, printers, routers , mobile / satellite communication equipment and many others.

Experts now fear that products using this library will most likely remain uncorrected due to the complexities of updating systems.

The vulnerabilities arise from the fact that the library was not only used directly by equipment vendors, but also integrated into other software suites, which means that many companies are not even aware that they are using this piece of code. particular and the name of the vulnerable library does not appear in their code manifests.

Vulnerabilities of Ripple20

These vulnerabilities – collectively called Ripple20 – affect a small library developed by the Cincinnati-based software company Treck.

The library, which was first published in 1997, implements a lightweight TCP / IP stack. Businesses have used this library for decades to allow their devices or software to connect to the Internet over TCP / IP connections.

Since September 2019, researchers from JSOF, a small cybersecurity consultancy located in Jerusalem, Israel, have been examining Treck’s TCP / IP stack, due to its large footprint in the industrial, healthcare and smart devices.

Their work exposed serious vulnerabilities, and the JSOF team worked with CERTs (computer emergency response teams) from different countries to coordinate the process of disclosure and correction of vulnerabilities.

In an interview with ZDNet last week, the JSOF team stated that this involved a lot of work and various steps, such as getting in touch with Treck, ensuring that Treck can release patches in time, and then find the vulnerable equipment and contact each of the affected suppliers.

These efforts have been crowned with success, JSOF Director General Shlomi Oberman told ZDNet. Oberman thanked CERT / CC for having played a major role in coordinating the vulnerability disclosure process with all of the suppliers involved.

Treck, although reluctant at first and believing he was the victim of an extortion attempt, is now fully involved, said Oberman.

In an email to ZDNet on Monday, Treck confirmed that patches are now available for all of Ripple20’s vulnerabilities.

The work on Ripple20 is not finished

But JSOF said work to identify all of the vulnerable devices was not yet complete. The researchers said that they named the 19 vulnerabilities Ripple20 not because they were 20 vulnerabilities at the start, but because of the wave effect (ripple, editor’s note) that they will cause in the IoT landscape by 2020 and in the years to come.

Researchers say they’ve only scratched the surface of the problem: trying to identify all of the devices that have implemented Treck’s TCP / IP library, and that many equipment vendors will need to verify their own code in the future.

Oberman explains that not all of Ripple20’s vulnerabilities are serious, but some are extremely dangerous, allowing attackers to take control of vulnerable systems remotely.

In a security advisory that will go online today and will be reviewed by embargoed ZDNet, the United States Department of Homeland Security has assigned scores of 10 and 9.8 on the CVSSv3 severity scale (the scale ranges from 1 to 10) to four of the Ripple 20 vulnerabilities.

These are:

CVE-2020-11896 – CVSSv3 score: 10 – Poor handling of the inconsistency of the length parameters in the IPv4 / UDP component when handling a packet sent by an unauthorized attacker on the network. The vulnerability could lead to remote code execution.

CVE-2020-11897- CVSSv3 score: 10 – Incorrect treatment of the inconsistency of the length parameters in the IPv6 component when handling a packet sent by an unauthorized attacker on the network. The vulnerability can lead to possible writing outside the limits.

CVE-2020-11898 – CVSSv3 score: 9.8 – Incorrect handling of the inconsistency of the length parameters in the IPv4 / ICMPv4 component when handling a packet sent by an unauthorized attacker on the network. This vulnerability can lead to the exposure of sensitive information.

CVE-2020-11899 – CVSSv3 score: 9.8 – Incorrect entry validation in the IPv6 component when handling a packet sent by an unauthorized attacker on the network. This vulnerability could allow the exposure of sensitive information.

These four vulnerabilities, when exploited, can allow attackers to easily take control of connected objects or industrial or healthcare equipment. Attacks are possible via the Internet if the devices are connected online, or from local networks if the attacker gains a foothold on an internal network (for example, via a compromised router).

These four vulnerabilities are ideal for botnet operators, but also for targeted attacks. Testing all systems for Ripple20 vulnerabilities and fixing these four issues should be a priority for all companies, mainly due to the large presence of Treck in the software landscape.

The impact of the Ripple20 vulnerabilities should be similar to that of the Urgent / 11 vulnerabilities, which were disclosed in July 2019, and which are still under investigation to this day. New vulnerable devices are detected and corrected regularly. The comparison is not accidental, because the Urgent / 11 vulnerabilities had an impact on the TCP / IP network stack (IPnet) of the real-time operating system VxWorks, another product widely used in IoT and the landscape. industrial.

As in the case of Urgent / 11, some products will not be patched, because some are at the end of their life or the suppliers have meanwhile ceased operations.

J

SOF was invited to speak about these vulnerabilities at the Black Hat USA 2020 security conference.

US-CERT, CERT / CC and Treck have also published notices containing details of the vulnerabilities and mitigation tips.

Source: ZDNet.com

Source: www.zdnet.fr

Rate article