Millions of Connected Devices Have Exploitable TCP/IP Flaws

Jeremy Kirk (jeremy_kirk) • June 17, 2020    

Millions of Connected Devices Have Exploitable TCP/IP Flaws
Demonstration of the Ripple20 flaws being exploited to deactivate an uninterruptible power supply, and the resulting effect on an attached medical device (Source: JSOF)

Time for another internet of things update nightmare: Researchers have found that a little-known software library that’s been widely used for decades – by numerous companies and in many products – has serious vulnerabilities that need immediate fixing. 

This time, the flaws – dubbed “Ripple20” by researchers – involve TCP/IP code from Cincinnati-based Treck, which makes software for implementing various networking protocols. While Treck might be a low-profile company few have heard of, its code has nevertheless found its way into millions of connected devices, from medical pumps and office printers to utility grid systems and aviation components. 

That’s because Treck’s TCP/IP code stack – an embedded library – is known for its high performance and reliability. The code is apparently particularly well-suited for low-power IoT devices and real-time operating system usage. 

On Tuesday, however, Israeli cybersecurity consultancy JSOF disclosed 19 vulnerabilities in the TCP/IP code after previously reporting the flaws to Treck, which has prepared a fix. JSOF’s findings follow another large-scale problem affecting IoT devices coming to light, in that case in the Universal Plug and Play protocol (see: UpNp Vulnerability Could Affect Billions of IoT Devices). 

Information about the Ripple20 flaws has been circulating privately since last year, as researchers, vendors and security experts worked to coordinate fixes and alert relevant parties. JSOF notes that it reached out to agencies such as the CERT Coordination Center and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency once it realized how challenging it would be to identify all companies and products that utilize the vulnerable code from Treck. 

Companies that ship products affected by the flaws include CaterpillarIntelGreen Hills Software, Rockwell Automation, HP, Baxter and Schneider Electric, among many others. 

Experts say numerous organizations will need to issue updates or detail workarounds to mitigate the flaws. Already, medical device manufacturer B. Braun Medical, based in Pennsylvania, issued an advisory on Friday saying only one of its products, the Outlook 400ES infusion pump, is affected by the flaws. It says it is still analyzing four patches issued by Treck but that its customers do not need to take immediate action. 

B. Braun Medical Inc.’s Outlook 400ES infusion pump is one of millions of devices that have exploitable TCP/IP software. (Photo: B. Braun Medical Inc.)

JSOF says that Treck is reaching out directly to warn its clients, but it says that because of nondisclosure agreements, Treck hasn’t released a list of those clients.

“The software library spreads far and wide, to the point that tracking it down has been a major challenge,” JSOF says. “As we traced through the distribution trail of Treck’s TCP/IP library, we discovered that over the past two decades this basic piece of networking software has been spreading around the world, through both direct and indirect use.” 

Forescout Technologies, which worked with JSOF on disclosure, writes that more than 50 vendors may be affected, “exposing a very complex supply chain for IoT devices.” 

Forescout used the internet-connected device search engine Shodan to look for potentially vulnerable devices that are exposed to the internet and could be directly compromised. It found 15,000 such devices, including printers, IP cameras, video conferencing systems, networking equipment and industrial control system devices. 

If previous, widespread flaws and patching efforts are any guide, however, many products with vulnerable Treck code will never see fixes get issued by manufacturers. And even when fixes do get released, many of these patches never get installed by end users (see: Heartbleed Lingers: Nearly 180,000 Servers Still Vulnerable).

Patches Available

In an advisory issued Tuesday, U.S. CERT says that high skill levels are needed to exploit the flaws, and that there are no known public exploits targeting the vulnerabilities, at least so far. 

Treck says in a statement that it has updated its TCP/IPv4/v6 software to fix the issues. JSOF notes that organizations should use Treck’s stack version or higher. 

JSOF dubbed the flaws Ripple20 to reflect how a single vulnerable component can have a ripple effect on “a wide range of industries, applications, companies, and people.” The company is due to present its findings at Black Hat 2020, which will be a virtual event. 

Four of the flaws are rated critical, and two of them could be exploited to remotely take control of a device. Others require an attacker to be on the same network as the targeted device, which makes these flaws more difficult – but not impossible – to exploit. 

“The risks inherent in this situation are high,” JSOF says. “Just a few examples: Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years.” 

In a brief video, JSOF CEO Shlomi Oberman shows how an exploit for the flaws can affect an uninterruptible power supply, which is connected to a medical infusion pump, an HP OfficeJet Pro 8720 printer and a module with an operating system and processor. Oberman found the flaws with his colleague, Moshe Kol. 

Their video shows the attack payload deactivating power to all of the connected devices, leading to the infusion pump issuing alarming beeps and displaying this warning: “Battery depleted. Pump will not run.” 

JSOF has published a white paper describing two of the vulnerabilities. The company also plans to release a second white paper solely focused on CVE-2020-11901 – a DNS vulnerability – and describing how it can affect a Schneider Electric APC UPS device. 

Mitigation Strategies

Experts say that devices that can be patched should be patched immediately. But if devices can’t be updated, organizations can take a series of steps to minimize their exposure. 

U.S. CERT says that administrators should ensure that vulnerable systems are not accessible from the internet and that control systems should be located behind firewalls and also not linked to any business networks. 

VPNs should be used for all remote access to vulnerable devices, with the caveat that VPN software may also have vulnerabilities, U.S. CERT says. Organizations should also use an internal DNS server that performs lookup using DNS-over-HTTPS, it says.

JSOF says organizations can also block anomalous IP traffic, as well as use deep packet inspection to block network attacks. 

Executive Editor Mathew Schwartz contributed to this report – source