Ripple20 Vulnerabilities

 

The Internet of Things (IoT) has been in quite a trend lately in the cyber world. But with its gaining popularity, it brings potentially significant cyber risk. With such huge numbers of gadgets multiplying over the world, any vulnerability’s effects can be far more prominent than would have been the situation even a couple of years ago. The IoT devices widely use TCP/IP stack as the fundamental connectivity software component.

At the end of 2019, an Israel-based Software company JSOF discovered a set of zero-day vulnerabilities in an extensively availed low-level TCP/IP software library developed by Treck, inc. These 19 vulnerabilities were collectively called Ripple20. The predominant broadcast of the software library was a characteristic outcome of the supply chain “ripple-effect.” It affects hundreds of millions of devices found in different sectors, ranging from printers to industrial control machinery to medical equipment to fortune 500 multinational corporations.

There are 4 critical vulnerabilities with CVSS ≥ 9. Its impact causes Remote Code Execution and Exposure of Sensitive Information. The other 4 are major vulnerabilities with CVSS ≥ 7, and the remaining 11 have various lower severity, information leaks, DoS attacks. It is a possibility that these vulnerabilities have been around for more than 20 years.

The 19 vulnerabilities are listed below based on their CVE IDs:

CVE-2020-11896: It has a CVSSv3 score of 10 with Remote Code execution as a potential impact. It is improper handling of length parameter inconsistency in IPv4/UDP components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11897: It has a CVSSv3 score of 10 with Out-of-bounds Write as a potential impact. It is improper handling of length parameter inconsistency in IPv6 components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11898: It has a CVSSv3 score of 9.1 with Exposure of Sensitive Information as a potential impact. It is improper handling of length parameter inconsistency in IPv4/ICMPv4 components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11899: It has a CVSSv3 score of 5.4 with Out-of-bounds Read and Exposure of Sensitive Information as a potential impact. It is improper input validation in IPv6 components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11900: It has a CVSSv3 score of 8.2 with Use After Free as a potential impact. It is a possible double free in IPv4 tunneling component when handling a packet sent by a network attacker.

CVE-2020-11901: It has a CVSSv3 score of 9 with Remote Code execution as a potential impact. It is improper input validation in the DNS resolver component when handling a packet sent by an unauthorized network attacker.

CVE-2020-11902: It has a CVSSv3 score of 7.3 with Out-of-bounds Read as a potential impact. It is improper input validation in IPv6 over IPv4 tunneling components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11903: It has a CVSSv3 score of 5.3 with Exposure of Sensitive Information as a potential impact. It is a possible Out-of-bounds Read in the DHCP component when handling a packet sent by an unauthorized network attacker.

CVE-2020-11904: It has a CVSSv3 score of 5.6 with Out-of-bounds Write as a potential impact. A possible integer overflow or wraparound in the memory allocation component when handling a packet sent by an unauthorized network attacker.

CVE-2020-11905: It has a CVSSv3 score of 5.3 with Exposure of Sensitive Information as a potential impact. It is a possible Out-of-bounds Read in the DHCPv6 component when handling a packet sent by an unauthorized network attacker.

CVE-2020-11906: It has a CVSSv3 score of 5 with Integer underflow as a potential impact. It is improper input validation in Ethernet link layer components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11907: It has a CVSSv3 score of 5 with Integer underflow as a potential impact. It is improper handling of length parameter inconsistency in TCP components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11908: It has a CVSSv3 score of 3.1 with Exposure of Sensitive Information as a potential impact. It is improper null termination in a DHCP component when handling a packet sent by an unauthorized network attacker.

CVE-2020-11909: It has a CVSSv3 score of 3.7 with Integer underflow as a potential impact. It is improper input validation in IPv4 components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11910: It has a CVSSv3 score of 3.7 with Out-of-bounds Read as a potential impact. It is improper input validation in ICMPv4 components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11911: It has a CVSSv3 score of 3.7 with Incorrect Permission Assignment for Critical resource as a potential impact. It is improper access control in ICMPv4 components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11912: It has a CVSSv3 score of 3.7 with Out-of-bounds Read as a potential impact. It is improper input validation in TCP components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11913: It has a CVSSv3 score of 3.7 with Out-of-bounds Read as a potential impact. It is improper input validation in IPv6 components when handling a packet sent by an unauthorized network attacker.

CVE-2020-11914: It has a CVSSv3 score of 3.1 with Out-of-bounds Read as a potential impact. It is improper input validation in ARP components when handling a packet sent by an unauthorized network attacker.

Identifying the affected device could be tricky, but the devices connected to the internet are more likely to be compromised. An attacker would intrude into these devices and then eventually abuse all the other devices in the network. The Ripple20 vulnerabilities feature the trouble of making sure about gadgets and applications inside complex software supply chains.

How to handle:

  1. Recognize the device that poses risks.
  2. Demonstrate publicly inaccessible devices.
  3. Dislocate devices to a secure network segment.
  4. Drop all IP-in-IP traffic bound for compromised devices.
AUTHOR
Devyani Bisht ( )
Writer And Editor
Devyani Bisht is a B.Tech graduate in Information Technology. She has 3.5 years of experience in the domain of Client Interaction. She really enjoys writing blogs and is a keen learner. She is currently working as a Technical Services Analyst with InfosecTrain.