Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2020-11896, CVE-2020-11897, CVE-2020-11901: Ripple20 Zero-Day Vulnerabilities in Treck TCP/IP Libraries Disclosed

Researchers discovered 19 new zero-day vulnerabilities in a TCP/IP software library developed by Treck. Dubbed Ripple20, the batch includes CVE-2020-11901, which has the potential to allow control of an internet-connected device.

Update June 24, 2020: We’ve updated the Identifying affected systems section to include an additional link to a newly released Tenable plugin as well as additional information for our tenable.ot customers.

Background

The JSOF research lab, a group of researchers who focus on low-level software vulnerabilities, disclosed 19 vulnerabilities they’ve named “Ripple20.” The batch affects an embedded Internet of Things (IoT) TCP/IP software library developed by Treck Inc., a developer for embedded internet protocols. This library is found in a wide array of devices from over 70 hardware vendors. When exploited, these vulnerabilities could lead to device takeover and allow an attacker to pivot from affected devices to other critical infrastructure. These vulnerabilities follow the disclosure of CVE-2020-10136, an IP-in-IP packet processing vulnerability disclosed earlier this month, which also affects IoT device TCP/IP libraries developed by Treck. Ripple20 also echoes multi-vulnerability disclosures like URGENT/11, which has continued to widen in impact over time.

Analysis

The Ripple20 vulnerabilities exist within the embedded TCP/IP software libraries developed by Treck. These libraries are licensed and used by a broad spectrum of devices manufactured by a number of vendors. JSOF notes that tracking and identifying all of the potentially affected vendors and devices is difficult for both logistical and legal reasons. Their disclosure details just how difficult it was to identify the affected supply chain, as the scope of potential risks was diverse and vast.

CVE-2020-11901 is a DNS vulnerability that would allow an attacker to obtain remote code execution (RCE) on devices redirected to a malicious web address. An attacker would first need to hijack the device’s hostname resolution by either poisoning its DNS server, or spoofing an otherwise legitimate IP address like a device update server. Standard security configurations often allow outbound connections to have fewer restrictions than inbound ones, allowing exploitation of these vulnerabilities to have a larger potential impact.

CVE-2020-11896 and CVE-2020-11897 are vulnerabilities caused by malformed packets being sent to a device that has IP tunneling enabled. JSOF confirmed CVE-2020-11896 on a Digi Connect ME 9210 by sending malformed ICMP echo requests, which allowed JSOF to inject shellcode on the device. An attacker could either obtain consistent RCEs on vulnerable devices, or cause a denial of service (DoS) until the device is reset.

The remainder of the vulnerabilities outlined in the disclosure range from RCE to sensitive information disclosure, creating a wide breadth of risks for unmitigated and unpatched devices.

A full list of CVEs can be found in the table below:

CVE ID CVSSv3* Potential Impact
CVE-2020-11896 10 Remote Code Execution
CVE-2020-11897 10 Out-of-Bounds Write
CVE-2020-11901 9 Remote Code Execution
CVE-2020-11898 9.1 Exposure of Sensitive Information
CVE-2020-11900 8.2 Use After Free
CVE-2020-11902 7.3 Out-of-bounds Read
CVE-2020-11904 5.6 Out-of-Bounds Write
CVE-2020-11899 5.4 Out-of-bounds Read
CVE-2020-11903 5.3 Exposure of Sensitive Information
CVE-2020-11905 5.3 Exposure of Sensitive Information
CVE-2020-11906 5 Integer Underflow
CVE-2020-11907 5 Integer Underflow
CVE-2020-11909 3.7 Integer Underflow
CVE-2020-11910 3.7 Out-of-bounds Read
CVE-2020-11911 3.7 Incorrect Permission Assignment for Critical Resource
CVE-2020-11912 3.7 Out-of-bounds Read
CVE-2020-11913 3.7 Out-of-bounds Read
CVE-2020-11914 3.1 Out-of-bounds Read
CVE-2020-11908 3.1 Exposure of Sensitive Information

*CVSSv3 Scores were provided by JSOF and may be subject to change

Proof of concept

JSOF has posted a Proof of Concept video to their YouTube channel demonstrating an attack:

Vendor response

Since September 2019, JSOF, Treck, CERT organizations and security vendors have been working together with hardware vendors to confirm affected devices. Confirming all of the affected devices will take considerable continued effort and time. JSOF has a list of affected vendors that can be found in the technical section of the disclosure page.

The following table contains a list of affected and non-affected vendors, sourced from CERT/CC, which maintains a list here.

Solution

Users are encouraged to reach out to their device vendors for support and updates if available. For devices that are no longer supported by their manufacturer, users can either upgrade to a supported device, or apply the recommended mitigation steps. Vendors that have already released updates include HP, Braun, Caterpillar, GHS and Rockwell.

Users can also potentially mitigate attacks by a multitude of security practices. JSOF provides a list on the disclosure page of potential mitigation options.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Additionally, Plugin ID 137703 can be used to identify devices that utilize the Treck network stack.

Tenable.ot customers should contact their CSM to get access to Suricata rules that can be used for detection. These rules will be fully integrated in the next service pack of the current release and later versions.

We would like to thank JSOF research lab, who discovered the Ripple20 vulnerabilities, for their collaboration with Tenable Research in providing additional details about the vulnerabilities, including detection information. We strongly encourage all Tenable customers to scan their environments with the plugins referenced above to determine their cyber exposure for the Ripple20 vulnerabilities.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training