The devices of the IoT are increasingly present in our homes. Many of them, unfortunately, do not receive security updates despite being connected to the Internet. Therefore, as soon as a fault is discovered in them, they become vulnerable forever. And now, the United States Department of Homeland Security and CISA ICS-CERT have issued a warning after discovering nearly twenty vulnerabilities that affect 500 manufacturers worldwide.
Called Ripple20 , the 19 zero-day vulnerabilities affect Treck’s low-level TCP / IP software library . If an attacker takes advantage of the failure, they can gain full control of a device without even user interaction.
Ripple20: 19 Vulnerabilities, and 2 of Them With a 10 of Danger
The Israeli company that has discovered the vulnerabilities, JSOF, claims that the affected devices are found everywhere, including homes, industries, hospitals, data centers, transportation, nuclear power plants, oil, etc. With this, it is possible to steal data from a printer, cause a machine to fail, change the flow of a pipe so that it explodes, etc.
Thus, an attacker can enter without leaving any trace. In total, there are four critical vulnerabilities with CVSS scores of more than 9 (two of them, CVE-2020-11896 and CVE-2020-11897 with a 10 ), and which allow an attacker to execute arbitrary code on devices in a manner remote. CVE-2020-11896 consists of sending modified packets through IPv6, while CVE-2020-11897 does it through IPv6. The other 15 vulnerabilities have CVSS notes ranging from 3.1 to 8.2, allowing from DoS attack to remote code execution. In the following video you can see how they use one of the vulnerabilities to shutdown a UPS remotely.
Some vulnerabilities have already been patched by Treck and other vendors over the years due to code and configuration changes. However, this also causes more problems, as there are variants of the vulnerabilities that have not yet been identified, and will not be identified any time soon. Currently released patches are available as of Treck 18.104.22.168 or higher.
Millions of Devices Will Run Out of Patch
The researchers have contacted the affected manufacturers, among which we find companies such as HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar or Baxter. Most have recognized the vulnerabilities, and the rest are still analyzing it before communicating it to the public. Disclosure of these vulnerabilities has been delayed twice by Covid-19, extending the grace period from 90 to 120 days. However, some companies seemed more concerned with not having their image damaged than with patching vulnerabilities.
Since many devices will not receive patches, the researchers recommend minimizing the Internet exposure of these devices, or directly ensuring that they do not have an Internet connection. Another option is to isolate them from the main network of the company or home, being able to use for example a WiFi guest network for these devices. They also recommend using VPN.