The security researchers at JSOF, an Israeli cybersecurity company discovered 19 flaws, many of which are classified as critical, which they dubbed Ripple20, that are affecting millions of IoT devices across several vendors.
The vulnerabilities reported in early 2020 have a ripple effect across the embedded supply chain, including several consumer products like IP cameras and printers to specialized inter-connected devices used across business organizations such as video conferencing systems and enterprise systems.
These systems are at risk due to the embedded TCP/IP library with flaws that allow for remote code execution over the network which could result to a full compromise of the affected devices.
How the 19 Flaws in TCP/IP software library was Discovered
JSOF collaborated with security researchers from IoT vendors and visibility firm Forescout in identifying potentially vulnerable products by using TCP/IP signatures in its knowledgebase of embedded devices.
The researchers also worked with the critical infrastructure arm of the US Cybersecurity (ICS-CERT) and Infrastructure Security Agency (CISA), in order to notify and confirm the affected products and vendors.
The vulnerabilities are all memory corruption issues stemming from errors in the handling of packets sent over the network via different protocols, including IPv4, IPv6, ICMPv4, IPv6OverIPv4, UDP, TCP, ARP, DHCP, DNS or the Ethernet Link Layer. While two of the vulnerabilities were rated 10 which is the highest possible severity score in the Common Vulnerabilities Scoring System (CVSS).
And from their findings, all products from 11 vendors have been confirmed as vulnerable, which products include infusion pumps, UPS systems, networking equipment, POS systems, IP cameras, building automation devices, and ICS devices, and the researchers believe the flaws could impact millions of devices from other vendors.
Efforts to Mitigate against the Flaws in TCP/IP software library
JSOF in partnership with Forescout have developed signatures based on traffic patterns that could be useful in identifying potentially vulnerable devices.
And they've also brought a lot of open-source intelligence gathering by way of analyzing legal and copyright documentation of products, to discover mentions of Treck in stack traces and debugging symbols on firmware analysis or relationships between the developer and various vendors.
Forescout has subsequently added the detection capability to its own IoT visibility and management products, with JSOF planning to release some of the information so that organizations can develop own scanning and monitoring capabilities for their networks to identify devices that might be at risk of Treck library to isolate them.
The researchers have also contacted affected vendors, including Schneider Electric, HP, Intel, Rockwell Automation, Caterpillar, Baxter, and Quadros, all of which have acknowledged the flaws and have taken an assessment of their products. Also, CISA has advised affected organizations to perform proper analysis and risk assessment before deploying defensive measures.