A series of 19 different vulnerabilities, four of them critical, are affecting hundreds of millions of internet of things (IoT) and industrial-control devices.
The issue is based in the supply chain and code reuse, with the bugs affecting a TCP/IP software library developed by Treck that many manufacturers use. Researchers at JSOF uncovered the faulty part of Treck’s code, which is built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet, in the devices of more than 10 different manufacturers—and it’s likely present in dozens more.
Affected hardware includes everything from connected printers to medical infusion pumps and industrial-control gear, according to researchers at JSOF’s research lab. Treck users include “one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries,” according to the research.
“The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain ‘ripple-effect,'” researchers said in a posting on Tuesday. “A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies and people.”
The flaws, dubbed Ripple20, include four remote code-execution vulnerabilities. If properly exploited, data could be stolen off of a printer, a medical device’s behavior could be tampered with, or industrial control devices could be made to malfunction.
“An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks,” according to JSOF.
The Ripple20 bugs include four critical flaws. These include CVE-2020-11896, with a base score of 10 out of 10 on the CVSS severity scale, which can be triggered by sending multiple malformed IPv4 packets to a device supporting IPv4 tunneling.
“It affects any device running Treck with a specific configuration,” according to JSOF. “It can allow a stable remote code execution and has been demonstrated on a Digi International device. Variants of this issue can be triggered to cause a Denial of Service or a persistent Denial of Service, requiring a hard reset.”
The critical bug tracked as CVE-2020-11897 meanwhile also carried a 10-out-of-10 severity, and is an out-of-bounds write flaw that can be triggered by sending multiple malformed IPv6 packets to a device. It affects any device running an older version of Treck with IPv6 support, and was previously fixed in a routine code change. It can potentially allow stable remote code execution, according to the writeup.
Another critical bug, CVE-2020-11901, ranks 9 out of 10 on the severity scale and can be triggered by answering a single DNS request made from the device. It can allow an attacker to infiltrate the network, execute code and take over the device with one vulnerability, bypassing any security measures.
“It affects any device running Treck with DNS support and we have demonstrated that it can be used to perform remote code execution on a Schneider Electric APC UPS,” according to JSOF. “In our opinion this is the most severe of the vulnerabilities despite having a CVSS score of 9, due to the fact that DNS requests may leave the network in which the device is located, and a sophisticated attacker may be able to use this vulnerability to take over a device from outside the network through DNS cache poisoning, or other methods.”
The last critical bug is CVE-2020-11898, rating 9.1, which is an improper handling of length parameter inconsistency bug in the IPv4/ICMPv4 component, when handling a packet sent by an unauthorized network attacker. It can allow information disclosure.
Other flaws range from high-severity 8.2 bugs (such as CVE-2020-11900, a use-after-free flaw) to low-severity improper input validation issues (such as CVE-2020-11913, rating only 3.7 in severity).
“The other 15 vulnerabilities are in ranging degrees of severity with CVSS score ranging from 3.1 to 8.2, and effects ranging from denial of service to potential remote code execution,” the firm said. “Most of the vulnerabilities are true zero-days, with four of them having been closed over the years as part of routine code changes, but remained open in some of the affected devices (three lower severity, one higher). Many of the vulnerabilities have several variants due to the Stack configurability and code changes over the years.”
Effective exploitation can lead to a host of bad outcomes, the research firm warned, such as remote takeover of devices and lateral movement within the compromised network; broadcast attacks that can take over all impacted devices in the network simultaneously; hiding within an infected device for stealthy recon; and bypassing network address traversal (NAT) protections.
JSOF will offer further details of the vulnerabilities at the Black Hat USA virtual event in August.
Jonathan Knudsen, senior security strategist, Synopsys, noted that the Ripple20 disclosures illustrate endemic difficulties in software development.
“First, security must be integrated to every part of software development: From threat modeling during design to automated security testing during implementation, every phase of software development must involve security,” he said via email. “Second, organizations that create software must manage their third-party components. The main reason for the far-reaching effects of the Ripple20 vulnerabilities is that they are vulnerabilities in a network component used by many organizations in many products. Each software development organization must understand the third-party components they are using to minimize the risk that they represent.”
Treck has issued a patch for use by OEMs in the latest Treck stack version (184.108.40.206 or higher). The challenge now is for those companies to implement it. In addition to advisories from ICS CERT, CERTCC and JPCERT/CC, Intel and HP have also issued alerts.
“While the best response might be to install the original Treck patch, there are many situations in which installing the original patch is not possible,” according to the JSOF analysis. “CERTs work to develop alternative approaches that can be used to minimize or effectively eliminate the risk, even if patching is not an option.”
Because it’s a supply-chain issue, affected products should be able to update themselves, Knudsen added – something that’s not always the norm in the IoT and industrial-control sectors.
“Using secure development practices and managing third-party components will result in fewer, less frequent updates,” he explained. “Nevertheless, something will always go wrong and updates will always be necessary. Systems and devices must be able to update themselves securely, and the manufacturer must make a commitment to maintaining the software for some clearly stated time period.”
Based on CERT/CC and CISA ICS-CERT advisories, if gear can’t be patched, admins should minimize network exposure for embedded and critical devices, ensuring that devices are not accessible from the Internet unless absolutely essential. Also, operational technology networks and devices should be segregated behind firewalls and isolated from any business networks.
Users can also take steps to block anomalous IP traffic, employ pre-emptive traffic filtering, normalize DNS through a secure recursive server or DNS inspection firewall and/or provide DHCP/DHCPv6 security, with features such as DHCP snooping, according to the CERTs.
“The software library spread far and wide, to the point that tracking it down has been a major challenge,” the researchers concluded. “As we traced through the distribution trail of Treck’s TCP/IP library, we discovered that over the past two decades this basic piece of networking software has been spreading around the world, through both direct and indirect use. As a dissemination vector, the complex supply chain provides the perfect channel, making it possible for the original vulnerability to infiltrate and camouflage itself almost endlessly.”
Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it. Please register here for this Threatpost webinar.