'Ripple20' security vulnerabilities in TCP/IP software library impact millions of connected devices

Nineteen bugs have been discovered so far in Treck software affecting connected printers, insulin pumps, smart home devices, power-grid equipment, industrial-control gears, routers, communications equipment commercial aircraft and data centre devices

Researchers at Jerusalem-based cyber security firm JSOF have uncovered a series of vulnerabilities in the widely used Treck TCP/IP software library, which could allow attackers to take control of remote devices running the faulty code.

According to researchers, the vulnerabilities, dubbed Ripple20, affect millions of devices, including connected printers, insulin pumps, smart home devices, power-grid equipment, industrial-control gears, routers, communications equipment, commercial aircraft devices, data centre devices, and others.

The Treck software library was developed nearly two decades ago to handle the TCP/IP protocol and enable devices to connect to networks and the internet. Over the past 20 years, the library has been integrated into many enterprise and consumer-grade products from more than 25 manufacturers, including HP, Intel, Schneider Electric, Baxter, Caterpillar and Rockwell Automation, operating in transport, medical, energy, industrial control, telecoms and other industries/

According to JSOF CEO Shlomi Oberman, a "ripple effect" has caused these vulnerabilities to transfer from one vendor to another through mergers and acquisitions, and software development.

The researchers are now concerned that the devices using the Treck software library will likely remain unpatched due to untracked software supply chains.

"It's been very difficult to track the supply chain up and down, and understand who's vulnerable, how they're vulnerable, who they got the code from, etcetera," Oberman said.

"In some of the cases, the vendors ceased operations or the stack is embedded as a component and it's very, very difficult to patch the vulnerabilities."

See also: The open-source library security flaw problem

In total, researchers found 19 vulnerabilities, of which four are rated as critical. Successfully exploited the flaws could enable hackers to steal data from a device (such as a printer), tamper with a medical device ' s behaviour, or make an industrial control device to fail.

A critical flaw, indexed as CVE-2020-11896, has been assigned a score of 10 out of 10 on the CVSS severity scale. According to researchers, this bug can be triggered by sending many malformed IPv4 packets to a device supporting IPv4 tunnelling.

The second critical flaw, CVE-2020-11897, is an out-of-bounds write bug which impacts devices running an older version of the Treck software with IPv6 support.

CVE-2020-11898 is an improper handling of length parameter inconsistency flaw impacting IPv4/ICMPv4 component. It could allow hackers to steal sensitive information from targeted device.

CVE-2020-11899 is the fourth critical flaw which could allow exposure of sensitive information.

JSOF says it will provide further details about the vulnerabilities at the Black Hat virtual event that is schedule to be held in August.