Critical flaws in the integrated TCP/IP stack impact millions of IoT devices across industries

Vulnerabilities exist in the memory management of a large number of commercial and consumer devices that allow them to be completely taken over.

The problem

Millions of devices, from consumer products such as printers and IP cameras to specialized devices used in organizations such as video conferencing systems and industrial control systems (ICS), are at risk because of critical vulnerabilities in an embedded TCP/IP library. Some of the flaws allow remote code execution (Remote Code Execution) over the network and could lead to a complete takeover of the affected device.

The vulnerabilities were found by the Israeli company JSOF, which specializes in the security of IoT and embedded devices. The vulnerabilities stem from the implementation of network protocols developed by the company Treck. The researchers found 19 deficiencies, several of which are rated as critical, and named them Ripple20 because they were reported in 2020 and have a ripple effect in the embedded supply chain.

The size

It is estimated that more than 100 manufacturers are vulnerable to these deficiencies. Many of them are still investigating the vulnerability and have yet to be confirmed. Confirmed suppliers include HP, which uses the library in some of its printers; Hewlett Packard Enterprise (HPE); Cisco; Intel, which uses the stack in the AMT out-of-band management firmware for Intel vPro-compatible systems; Schneider Electric, which uses Treck in its Uninterruptible Power Supply (UPS) equipment and possibly other products; Rockwell Automation; medical device manufacturers Baxter and B. Braun; construction and mining equipment manufacturer Caterpillar; US research and development organization Sandia National Laboratories; IT service provider HCL Technologies; and parts manufacturer Digi International.

A search on Shodan for 37 affected device models from 18 vendors, conducted by Forescout, revealed approximately 15,000 devices connected directly to the internet and potentially affected by anyone.

What can you do?

It is advisable to regard embedded devices as ‘untrusted’ devices and to place them in a separate segment in your network. This is how you manage impact: if something happens with such devices, you can limit the impact to that segment and the rest of your network is protected.

Therefore, create a separate segment in your IT network for IP cameras, a separate segment for network printers, a separate segment for the management interfaces of server hardware, UPSs, etc.

In your OT network it is recommended to follow the guidelines of IEC 62443 and to divide your Industrial Control Systems into Zones and Conduits. You then assign the desired Security Level (SL) to each zone and set up the Security Capabilities of each device in such a way that it is met.

Extra information

  • https://www.jsof-tech.com/wp-content/uploads/2020/06/JSOF_Ripple20_Technical_Whitepaper_June20.pdf
  • https://www.kb.cert.org/vuls/id/257161
  • https://www.us-cert.gov/ics/advisories/icsa-20-168-01
  • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-treck-ip-stack-JyBQ5GyC
  • https://www.se.com/ww/en/download/document/SESB-2020-168-01/

Ask specialists for advice

Spinae is ready to advise and support you in this. Do you have questions or concerns about IT security or OT security? Contact our experts, they will be happy to assist you.