A bunch of flaws in a commonly used TCP/IP software stack have put potentially tens of millions of Internet-of-Things devices, healthcare equipment, industrial control systems, and other network-connected gear at risk of remote attack, it is claimed.
The vulnerabilities are dubbed Ripple20 – because hey, what's a bug reveal without a marketing push these days? – and were found and reported by infosec outfit JSOF. The team's disclosure this week of the security holes lightly details 19 CVE-listed bugs in a TCP/IP stack developed by US outfit Treck for embedded systems.
Some of the programming blunders are remotely exploitable to run arbitrary code on the host, we're told, so it's possible to thus hijack vulnerable boxes over a network, or even the internet if the equipment is accessible from the public 'net.
"An attacker could hide malicious code within embedded devices for years," JSOF says of the flaw. "One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks."
JSOF claimed the vulnerable stack is used in tens of millions of Internet-of-Things and network-connected embedded devices: the flaws may have been present for more than a decade, and adopted by dozens of vendors.
Nine in ten biz applications harbor out-of-date, unsupported, insecure open-source code, study showsREAD MORE
"The software library spread far and wide, to the point that tracking it down has been a major challenge," the JSOF team said. "As we traced through the distribution trail of Treck’s TCP/IP library, we discovered that over the past two decades this basic piece of networking software has been spreading around the world, through both direct and indirect use."
Manufacturers confirmed to have shipped products using the vulnerable stack include Intel, HP, and Rockwell, and the bug-hunters believe many more vendors will be caught up in the Ripple20 saga, including Broadcom, Cisco, EMC, Nvidia, Texas Instruments, and Marvell.
"Most of the vulnerabilities are true zero-days, with four of them having been closed over the years as part of routine code changes but remained open in some of the affected devices," the JSOF crew said. "Many of the vulnerabilities have several variants due to the stack configurability and code changes over the years."
Updating a device to use the latest version of the Treck TCP/IP stack, namely 220.127.116.11, will squash the bugs. The software's maker said in a statement:
Treck is committed to delivering secure, high performing products. For more than 20 years we have been consistently working to maintain the quality and integrity of our products. Our latest version of Treck’s TCP/IPv4/v6 and associated protocols has been updated to include fixes for a group of vulnerabilities (VU#257161 and ICS-VU-035787) that were reported by Moshe Kol and Shlomi Oberman of the independent security research group, JSOF. Treck is also providing patches for each issue that was reported. Some of the issues are of high severity. The exposure to these high severity issues greatly depends on the Treck products being used.
On the bright side, there are no reports of any of the flaws being targeted in the wild, so hardware vendors have time to rebuild their firmware images with the fixed stack and push these out to machines worldwide. We all know this is unlikely to happen in a widespread manner: manufacturers may decline to update older gear, or may not care, or punters may not realize they need to apply security updates nor care, and some gadgets may not be field upgradeable.
The flaw-finders promised to spill the beans about the holes in August when they're due to present their work during the online version of the annual Black Hat USA security conference. ®