10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.049 Low
EPSS
Percentile
91.9%
Treck IP stack implementations for embedded systems are affected by multiple vulnerabilities. This set of vulnerabilities was researched and reported by JSOF, who calls them Ripple20. A summary of JSOF’s research is here, along with a technical whitepaper. See the Rapid7 Analysis tab for further details.
Recent assessments:
busterb at June 17, 2020 6:03pm UTC reported:
This may be interesting to exploit when one has a particular device in mind, and it provides some sort of useful access or control, but there is not going to be an apocalypse of Ripple20 exploits for a few reasons:
Every target device has to have a tailor-made exploit written for it, outside of a DoS.
There is no low-hanging fruit here for actual code execution. Those hundreds of vendors are going to have hundreds of ways they integrated this thing, though you may find some commonalities when folks use the same board support package (BSP) for reference designs.
Getting malformed packets into a target device remotely is a lot harder than you’d think these days. Often times, this might as well be considered a local attack, since a lot of edge and intermediate devices will discard many of the malformed packets involved here. That’s why I’m tagging ‘Requires physical access’, because it’s practically the case.
There’s a reason why devices like this have been off-limits for vuln scans and penetration tests for years. It’s because the vendors and users knew their stacks were fragile. This is just reality the infosec world is finally catching up. This isn’t the first exploration of an embedded stack with problems, and it will most definitely not be the last. Whether this makes a change in the industry is a bigger question.
gwillcox-r7 at March 07, 2022 5:13pm UTC reported:
This may be interesting to exploit when one has a particular device in mind, and it provides some sort of useful access or control, but there is not going to be an apocalypse of Ripple20 exploits for a few reasons:
Every target device has to have a tailor-made exploit written for it, outside of a DoS.
There is no low-hanging fruit here for actual code execution. Those hundreds of vendors are going to have hundreds of ways they integrated this thing, though you may find some commonalities when folks use the same board support package (BSP) for reference designs.
Getting malformed packets into a target device remotely is a lot harder than you’d think these days. Often times, this might as well be considered a local attack, since a lot of edge and intermediate devices will discard many of the malformed packets involved here. That’s why I’m tagging ‘Requires physical access’, because it’s practically the case.
There’s a reason why devices like this have been off-limits for vuln scans and penetration tests for years. It’s because the vendors and users knew their stacks were fragile. This is just reality the infosec world is finally catching up. This isn’t the first exploration of an embedded stack with problems, and it will most definitely not be the last. Whether this makes a change in the industry is a bigger question.
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 1
attackerkb.com/topics/1XK6o17WtS/cve-2020-11914
attackerkb.com/topics/2eJTkTURHP/cve-2020-11899
attackerkb.com/topics/52Pe2M29sQ/cve-2020-11911
attackerkb.com/topics/6aIS3G2p8K/cve-2020-11905
attackerkb.com/topics/aQLBr9bojq/cve-2020-11901
attackerkb.com/topics/bifJFJ5meN/cve-2020-11903
attackerkb.com/topics/EfyfdaBnTo/cve-2020-11912
attackerkb.com/topics/G7DNAAf1a1/cve-2020-11900
attackerkb.com/topics/H4R5J2uDvf/cve-2020-11906
attackerkb.com/topics/Ix3JQbUip7/cve-2020-11896
attackerkb.com/topics/IX60nww8qW/cve-2020-11897
attackerkb.com/topics/moT2PdmlBG/cve-2020-11907
attackerkb.com/topics/P73WEfLK2U/cve-2020-11909
attackerkb.com/topics/q1QRKtfjrx/cve-2020-11910
attackerkb.com/topics/QgoZaaBOHU/cve-2020-11902
attackerkb.com/topics/SkKwwdTftq/cve-2020-11913
attackerkb.com/topics/Smf3ig0wXR/cve-2020-11898
attackerkb.com/topics/t8FNUlhJEP/cve-2020-11908
attackerkb.com/topics/VPm6oMFZ2U/cve-2020-11904
www.us-cert.gov/ics/advisories/icsa-20-168-01
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.049 Low
EPSS
Percentile
91.9%