A new series of network zero-day vulnerabilities affecting devices from many different vendors was discovered by the security consulting company JSOF. Four of the vulnerabilities are rated critical and are capable of leading to remote code execution. The Ripple20 series of vulnerabilities are part of the Treck TCP/IP network stack used in embedded devices across several industries such as industrial, medical, retail, oil, home devices and more. JSOF estimates that hundreds of millions of devices could be affected due to how widespread the Treck network library is. A list of 79 vendors can be found on the announcement along with a current vulnerability status. As of now, eight vendors are listed confirmed vulnerable, five have self-reported themselves as “not affected” and 66 are currently unknown. For more technical details, a whitepaper is available by filling out a form on the announcement page and a second paper will be released after BlackHat USA 2020 which will detail DNS vulnerability CVE-2020-11901. JSOF will also provide scripts upon request to identify devices that use the Treck library. For more information or requests contact [email protected].
Analyst Notes: Ripple20 has the potential to become a serious threat to exposed devices. Binary Defense highly recommends following the mitigation steps outlined by JSOF on their Ripple20 announcement page. Organizations that suspect they may be running vulnerable devices should reach out to [email protected] to obtain the script to find any devices on the network that use the Treck library. If any devices are found, they should be updated as soon as possible. If no update is available, contact the vendor to ask when an update may become available. The CERT/CC GitHub repository contains Suricata rules that may assist in detecting some attempts to exploit these vulnerabilities.