Last week, the United States Department of Homeland Security released a critical security advisory on newly discovered vulnerabilities that could put organizations at risk. According to the advisory, produced by the U.S. Cybersecurity and Infrastructure Security Agency, the vulnerabilities were identified in low-level TCP/IP software library developed by Treck, Inc.
“Successful exploitation of these vulnerabilities may allow remote code execution or exposure of sensitive information,” the advisory says.
Named the “Ripple20,” the list of 19 zero-day vulnerabilities was created by cybersecurity company JSOF. While these vulnerabilities could impact a variety of organizations, when it comes to industrial environments, they can cause devices to malfunction.
Possible risks include, an attacker from outside of the network taking control of a device within the network. Additionally, an attacker who has already infiltrated a network could use the library vulnerabilities to target specific devices within it. According to JSOF, an attacker could utilize an affected device as a way to remain hidden within the network for years.
“In the case of Ripple20, the starting point was embedded into Treck’s TCP/IP low-level Internet protocol suite library,” JSOF said in an overview of it’s report on the vulnerabilities. “The library could be used as-is, configured for a wide range of uses, or incorporated into a larger library. The user could buy the library in source code format and edit it extensively. It can be incorporated into the code and implanted into a wide range of device types. The original purchaser could decide to rebrand, or could be acquired by a different corporation, with the original library history lost in company archives. Over time, the original library component could become virtually unrecognizable. This is why, long after the original vulnerability was identified and patched, vulnerabilities may still remain in the field, since tracing the supply chain trail may be practically impossible.”
JSOF estimates that the vulnerabilities could affect hundreds of millions of devices. Affected vendors include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter. It is only the latest example of how supply chains are putting industrial environments at risk.
“The interesting thing about Ripple20 is the incredible extent of its impact, magnified by the supply chain factor,” JSOF said. “The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain ‘ripple-effect’. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people.”
JSOF began researching the Treck TCP/IP software library in September 2019. Within a few months, the company realized there was some troubling data on potential vulnerabilities and contacted Treck to share their information and begin a coordinated vulnerability disclosure process that includes CISA and the CERT Coordination Center, the worldwide center for coordinating information about Internet security.
“It became clear to us that tracking the extent of Treck library distribution was too large for just one small team. We could track the supply chain trails, but we needed to work with international organizations to extend our reach within organizations and domains for which we had no access,” JSOF said. “This is why the Ripple20 disclosure process is being coordinated and overseen by multiple national computer emergency response team (CERT) organizations and regulators. All are collaborating in order to reach as many affected vendors as possible before the vulnerabilities became public.”
According to JSOF, it is a standard industry practice not to publicize a vulnerability until there is a patch available to fix it. Treck made a patch available in March.
“Treck is committed to delivering secure, high performing products. For more than 20 years we have been consistently working to maintain the quality and integrity of our products,” Trek said in a statement on their site. “Our latest version of Treck’s TCP/IPv4/v6 and associated protocols has been updated to include fixes for a group of vulnerabilities (VU#257161 and ICS-VU-035787) that were reported by Moshe Kol and Shlomi Oberman of the independent security research group, JSOF. Treck is also providing patches for each issue that was reported. Some of the issues are of high severity. The exposure to these high severity issues greatly depends on the Treck products being used.”