Ripple20: Zero Day exploits found affecting millions of internet connected devices

gary · #1 22-06-2020, 02:23 PM

17th June 2020

JSOF, a cyber security consultancy in Israel, has announced the discovery
of a series of serious zero-day exploits impacting potentially
hundreds of millions of IoT (Internet of Things) devices.

Quote:

Originally Posted by JSOF

The JSOF research lab has discovered a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. The 19 vulnerabilities, given the name Ripple20, affect hundreds of millions of devices (or more) and include multiple remote code execution vulnerabilities. The risks inherent in this situation are high. Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks.

The interesting thing about Ripple20 is the incredible extent of its impact, magnified by the supply chain factor. The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain “ripple-effect”. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people.

For example, the Treck TCP/IP stack is used in certain HP and Samsung
branded printers :-
https://support.hp.com/in-en/document/c06640149

and in some Cisco routers and gateways :-
https://tools.cisco.com/security/cen...stack-JyBQ5GyC

JSOF announcement here :-
https://www.jsof-tech.com/ripple20/

Advice is given under the section Risk Evaluation and Mitigations.
Certainly perform an assessment on any device that is Internet facing.

Treck vulnerability announcements :-
https://treck.com/vulnerability-response-information/

multiweb (Marc) · #2 22-06-2020, 02:42 PM

Scary stuff.

Thanks for the heads up.

Nikolas (Nik) · #3 22-06-2020, 03:01 PM

What does that mean in laymans terms all I read was It gibberish

leon · #4 22-06-2020, 03:25 PM

Yea, I,m with you Nik.

Leon

gary · #5 22-06-2020, 03:45 PM

Quote:

Originally Posted by Nikolas

What does that mean in laymans terms all I read was It gibberish

Hi Nik,

An increasing number of appliances come with Ethernet or WiFi connectivity.

A good example is a network connected printer.

Normally these devices are only exposed to your local intranet.

However, some devices can be configured to be remotely accessible
through the Internet as well.

For example, APC is a well-known manufacturer of Uninterruptible
Power Supplies (UPS's). Some higher-end models have networking
capability and can be configured to be accessed remotely.
Perhaps one is in a remote observatory that the owner can receive alerts
from if the mains power fails.

One vulnerability exists in some of these UPS's. An attacker can gain access
to the internal network via the UPS.

The software module within these devices that provides networking
capability is referred to as a TCP/IP stack. There are many sources of
TCP/IP stacks. However some equipment manufacturers purchased
TCP/IP stacks from a company called Treck Inc. to embed within their
own products. The stacks from Treck Inc. are the ones found to have
multiple vulnerabilities.

As a rule of thumb, if you have a device that can be configured to be
accessible remotely over the internet, treat it with suspicion if you have
configured it to do so. Ask yourself, do you really need to access it remotely?

Though it is not directly related to the Treck TCP/IP stack exploit, in
particular it is prudent to treat IP security cameras with suspicion.
Many households and organizations equip themselves with security
cameras that they can then monitor remotely. Apart from the potential
of being "hijacked" by an outsider, if the software that was embedded in
them in the first place contains a backdoor or trojan horse, it can result
in not only the camera's images being accessed by a third party, but
make all other devices including computers on the same network
vulnerable.

Also treat Internet of Things (IoT) devices with their own embedded WiFi hubs
with suspicion. For example, a quick scan of access points on my smartphone
reveals neighbours running multiple IoT devices. I have no idea what they are
specifically, but for example might be IP cameras or some form of home automation.
Though the "lock" icon shows they are secure using WPA-2 or some other WiFi security
mechanism, they are a good example of the type of device that may have a vulnerability.
WiFi devices that provide WPS as the security mechanism these days are regarded as vulnerable.
Don't run WPS.

Nikolas (Nik) · #6 22-06-2020, 04:39 PM

Quote:

Originally Posted by gary

Hi Nik,

An increasing number of appliances come with Ethernet or WiFi connectivity.

A good example is a network connected printer.

Normally these devices are only exposed to your local intranet.

However, some devices can be configured to be remotely accessible
through the Internet as well.

For example, APC is a well-known manufacturer of Uninterruptible
Power Supplies (UPS's). Some higher-end models have networking
capability and can be configured to be accessed remotely.
Perhaps one is in a remote observatory that the owner can receive alerts
from if the mains power fails.

One vulnerability exists in some of these UPS's. An attacker can gain access
to the internal network via the UPS.

The software module within these devices that provides networking
capability is referred to as a TCP/IP stack. There are many sources of
TCP/IP stacks. However some equipment manufacturers purchased
TCP/IP stacks from a company called Treck Inc. to embed within their
own products. The stacks from Treck Inc. are the ones found to have
multiple vulnerabilities.

As a rule of thumb, if you have a device that can be configured to be
accessible remotely over the internet, treat it with suspicion if you have
configured it to do so. Ask yourself, do you really need to access it remotely?

Though it is not directly related to the Treck TCP/IP stack exploit, in
particular it is prudent to treat IP security cameras with suspicion.
Many households and organizations equip themselves with security
cameras that they can then monitor remotely. Apart from the potential
of being "hijacked" by an outsider, if the software that was embedded in
them in the first place contains a backdoor or trojan horse, it can result
in not only the camera's images being accessed by a third party, but
make all other devices including computers on the same network
vulnerable.

Also treat Internet of Things (IoT) devices with their own embedded WiFi hubs
with suspicion. For example, a quick scan of access points on my smartphone
reveals neighbours running multiple IoT devices. I have no idea what they are
specifically, but for example might be IP cameras or some form of home automation.
Though the "lock" icon shows they are secure using WPA-2 or some other WiFi security
mechanism, they are a good example of the type of device that may have a vulnerability.
WiFi devices that provide WPS as the security mechanism these days are regarded as vulnerable.
Don't run WPS.

Awesome explanation, I'm all good then Cheers

peter_4059 (Peter) · #7 22-06-2020, 08:01 PM

Gary,

Does the vulnerability end when the device is no longer connected to the network or does it remain with any software installed to connect to the device?

Cheers,

Peter

LewisM · #8 22-06-2020, 08:37 PM

Cisco is well known to have specific and DELIBERATE back-end vulnerability built in as per specific governmental demand (you can guess who), and yet governments, including ours, continue to use Cisco (because we are TOLD to). Samsung vulnerability for back end remote hijack is also well known, especially their "Smart" devices.

US governemnt would have you think Huawei is a worry for spying...only when it directly competes with the US' own spying "rights" of course. Look what our government recently signed into law regarding phone tapping, hacking, remote access etc with nary a squeak of it being made public, with SFA public consultation. 5 Eyes at its most back-handed.

multiweb (Marc) · #9 22-06-2020, 09:01 PM

My russian made kettle wants to take over the world.

gary · #10 22-06-2020, 11:57 PM

Quote:

Originally Posted by peter_4059

Gary,

Does the vulnerability end when the device is no longer connected to the network or does it remain with any software installed to connect to the device?

Cheers,

Peter

Hi Peter,

In one worse case scenario, if someone had already exploited the
vulnerability of an internet facing device to get into the intranet and
then created additional back doors for themselves on other devices
such as routers or computers, then it would be a case of closing the
barn door after the horse has already bolted.

But one would have to be unlucky.

Firstly, you would need to have a device that has the Treck TCP/IP stack
installed and for it to be internet accessible. Secondly, you would have to
then be targeted before having either patched the vulnerable device or
re-configured it to no longer being internet accessible.

As JSOF noted, the supply chain for this particular stack may be complex.
One manufacturer who originally purchased the stack may in turn have
other OEM customers.