Researchers at Jerusalem-based cyber security firm JSOF have uncovered a series of vulnerabilities in the widely used Treck TCP/IP software library, which could allow attackers to take control of remote devices running the faulty code.
According to researchers, the vulnerabilities, dubbed Ripple20, affect millions of devices, including connected printers, insulin pumps, smart home devices, power-grid equipment, industrial-control gears, routers, communications equipment, commercial aircraft devices, data centre devices, and others.
The Treck software library was developed nearly two decades ago to handle the TCP/IP protocol and enable devices to connect to networks and the internet. Over the past 20 years, the library has been integrated into many enterprise and consumer-grade products from more than 25 manufacturers, including HP, Intel, Schneider Electric, Baxter, Caterpillar and Rockwell Automation, operating in transport, medical, energy, industrial control, telecoms and other industries/
According to JSOF CEO Shlomi Oberman, a "ripple effect" has caused these vulnerabilities to transfer from one vendor to another through mergers and acquisitions, and software development.
The researchers are now concerned that the devices using the Treck software library will likely remain unpatched due to untracked software supply chains.
"It's been very difficult to track the supply chain up and down, and understand who's vulnerable, how they're vulnerable, who they got the code from, etcetera," Oberman said.
"In some of the cases, the vendors ceased operations or the stack is embedded as a component and it's very, very difficult to patch the vulnerabilities."
In total, researchers found 19 vulnerabilities, of which four are rated as critical. Successfully exploited the flaws could enable hackers to steal data from a device (such as a printer), tamper with a medical device's behaviour, or make an industrial control device to fail.
A critical flaw, indexed as CVE-2020-11896, has been assigned a score of 10 out of 10 on the CVSS severity scale. According to researchers, this bug can be triggered by sending many malformed IPv4 packets to a device supporting IPv4 tunnelling.
The second critical flaw, CVE-2020-11897, is an out-of-bounds write bug which impacts devices running an older version of the Treck software with IPv6 support.
CVE-2020-11898 is an improper handling of length parameter inconsistency flaw impacting IPv4/ICMPv4 component. It could allow hackers to steal sensitive information from targeted device.
CVE-2020-11899 is the fourth critical flaw which could allow exposure of sensitive information.
JSOF says it will provide further details about the vulnerabilities at the Black Hat virtual event that is schedule to be held in August.
One in three Britons targeted by scammers since the start of coronavirus crisis, Citizens Advice reveals
Legal charity has seen a 19 per cent spike in the number of visitors coming to its website in recent months looking for advice from experts
Earth Empusa threat group distributing Android 'ActionSpy' spyware to target minority group in Tibet and Turkey
ActionSpy supports numerous modules which enable hackers to collect confidential information from compromised devices, including device IMEI, user phone number and contacts
And they are making no efforts to stay under the radar
SGX hardware encryption technology was launched in 2015 with the Skylake microarchitecture
Eleven of them are rated as 'Critical'