Ripple20 vulnerabilities still plaguing IoT devices

The Ripple20 situation has improved little since the collection of IoT vulnerabilities were first revealed in June, and experts say the IoT industry may never be fully rid of them.

That's according to researchers from JSOF, a cybersecurity consultancy based in Jerusalem, during a Black Hat USA 2020 session on Wednesday. The JSOF team offered a technical deep dive into the series of 19 zero-day vulnerabilities the firm discovered last year, which affected hundreds of millions of IoT devices across virtually all vertical industries.

The vulnerabilities are part of a TCP/IP stack called Treck TCP/IP, widely used among a long list of connected and IoT devices from vendors such as Intel, Cisco and Hewlett Packard Enterprise.

In the Black Hat session, JSOF CEO Shlomi Oberman explained that four of the vulnerabilities are critical remote code execution vulnerabilities, and eight are medium- to high-severity Common Vulnerability Scoring System weaknesses with some chance of RCE.

"The devices affected are made by vendors you all know," Oberman said. "Large vendors, devices of high impact, as well as smaller vendors of any range of all types of IoT devices and from Fortune 500 companies to one-person shops, tiny little companies making specialist devices. The types of devices you can encounter in your hospital, at home on your network, power, water, cellular, utilities, things you use in your everyday life, transportation -- pretty much anything we do is powered by devices affected by Ripple20 vulnerabilities."

Knowing what we know about [Ripple20-]affected devices and affected vulnerabilities, we're assuming every mid-to-large organization in the U.S. has at least one vulnerable device.

Because the Treck stack was used in so many different products, from routers and DVRs to medical devices and industrial control systems (ICSes), it was a challenge for JSOF researchers to identify and notify affected vendors. JSOF said the TCP/IP library has spread across the technology supply chain over the last two decades, with different versions and branches reaching hundreds of millions of devices. The researchers said this created a ripple effect across the technology industry, hence the name Ripple20.

While some major vendors have issued advisories and patches for Ripple20 vulnerabilities, others have not. Oberman said the problem is extremely widespread, and he expects more vulnerable vendors and devices will be discovered as time goes on.

"At this stage, knowing what we know about affected devices and affected vulnerabilities, we're assuming every mid-to-large organization in the U.S. has at least one vulnerable device, whether it be a networking device, a printing device, ICS device, etc.," Oberman said.

Scott Caveza, research engineering manager at Tenable, also said he expects the scope of devices and vendors affected to grow even further. Tenable collaborated with JSOF recently to help identify 34 additional vendors and 47 devices vulnerable to Ripple20.

Even worse, according to Caveza, it will be nearly impossible to ever fully get rid of devices affected by the Ripple20 vulnerability.

"JSOF continues to work with various vendors and CERT/CC [Computer Emergency Response Team Coordination Center] to reach out to those vendors," he said. "Because this library has been repurposed over many years by multiple vendors, tracking down all affected devices is a near-impossible task, and there will inevitably be devices that are found to be vulnerable but no longer supported or were released by a company that is no longer in business."

As for how serious it is, Caveza said that "the range of severity will really depend on the device and how the Treck TCP/IP stack was implemented."

"In some cases, this could have a very severe impact, and in others, code differences could offer some mitigations and protection," he said. "The Treck library is found in a wide variety of IoT and operational technology devices, which may be used in critical operations and are notoriously difficult to patch. This certainly heightens the threat posed by Ripple20."