Identifying and Protecting Devices Vulnerable to Ripple20

Daniel dos Santos | August 17, 2020
On June 16, 2020, a set of 19 vulnerabilities, collectively called Ripple20, affecting the Treck embedded IP stack were publicly disclosed by JSOF.
Treck is used by over 50 vendors and millions of devices, including mission-critical devices for healthcare, data centers and critical infrastructure. Four of the issues discovered have a critical CVSSv3 rating, and at least two can lead to Remote Code Execution – essentially, full control of a targeted device.
Most of the issues relate to the implementation of the TCP/IP stack, which means they do not depend on a specific application, and the adversary only needs network access to the targeted device to leverage the vulnerabilities and take control of the device.Table 1 presents a summary of the vulnerabilities.
Table 1 – Summary of the vulnerabilities
The vulnerabilities were first discovered by JSOF at the end of 2019 and disclosed to vendors beginning in February 2020, following industry best practices for coordinated vulnerability disclosure. The disclosure process included multiple coordination agencies, such as the DHS-CISA and the JPCERT. The process is ongoing as more vendors continue to confirm that their products are vulnerable and new vulnerable vendors are discovered. During this process, JSOF partnered with Forescout Research Labs to identify more affected vendors and devices.
This innovative approach to vulnerability disclosure, involving another cybersecurity vendor to identify vulnerable devices, was necessary because Treck is a basic connectivity component used by a range of device vendors in many different ways. For instance, the stack can be used with or without a real-time operating system, is highly configurable and is licensed under different names (For instance, Elmic commercializes the stack for the Asian market using the name KASAGO).
Vendors usually do not advertise that they use this particular IP stack, just as they rarely advertise the many other software and hardware components that go into their devices. Essentially, in the IoT world, there is no public bill of materials that allow users and organizations to know the components that are part of the devices they use.
To complicate matters further, the supply chain for IoT devices can be very long. Between a software component such as Treck and an end-user device, there can be a convoluted network of ODMs, OEMs, system integrators and white-label products.
Although Treck has contacted their immediate customers, there is still a long tail of potentially affected vendors and devices to be identified (customers of customers of Treck and so on). Forescout Research Labs used Forescout’s Device Cloud, a unique data lake with information from more than 12 million devices categorized in more than 150 device types, to identify potentially impacted vendors and devices. Using the Device Cloud, we were able to identify characteristic network signatures of Treck in close to 30 potentially affected vendors.
Treck is a widely deployed embedded IP stack used by companies such as HP, Intel, Schneider Electric, DIGI and many others to create products that range from home and enterprise printers to Industrial Control Systems (ICS) and healthcare equipment.
To further identify and classify the impacted devices, we analyzed the Forescout Device Cloud to see how many and what kind of devices run Treck. Identifying devices running Treck is not easy, as discussed above. To do so, we used a combination of network signatures provided by JSOF based on DHCP and TCP/IP fingerprints and post-processing to eliminate potential false positives. Therefore, all the numbers below are a lower bound of the actual number of devices that may be running Treck.
Table 2 shows a breakdown of the number of devices matching Treck signatures per vertical. More than 90,000 devices were found running the Treck embedded IP stack, with Healthcare, Retail, and Manufacturing being the most impacted verticals.
Table 2 – Population devices matching Treck signatures in Forescout Device Cloud: Top 5 verticals
The most common device types running Treck include infusion pumps, printers, UPS systems, networking equipment, Point of Sale devices, IP cameras, video conferencing systems, building automation devices and ICS devices.
To exploit Ripple20 vulnerabilities, an attacker needs a direct connection to an affected device or a routed path to internal networks. This means devices directly connected to the internet are those most at risk. An attacker could target these devices first, compromise them and move laterally within the network to access or infect other devices.
As an example of the impact of these vulnerabilities, a series of Shodan searches for 37 specific device models from 18 vendors (including printers, IP cameras and video conferencing systems, networking equipment and ICS devices) reveals there are around 15,000 internet-connected instances of these affected devices that could potentially be directly compromised by anybody on the internet.
Figure 3 shows the category breakdown for the example of affected devices found on Shodan. Figure 4 shows more details about affected HP LaserJet printers found on Shodan. Figure 5 shows some example screens of these devices seen online.
Figure 3 – Examples of internet-connected affected devices found on Shodan
Figure 4 – Instances of HP LaserJet printers on Shodan
Figure 5 – Example configuration screen of an internet-connected affected printer
Notice that these numbers are based on only a few vendors and models that are known to be vulnerable and that some of the most popular devices such as infusion pumps and point of sale are not mentioned since they are not usually directly connected to the internet. As mentioned in the beginning of this post, the actual number of affected devices is likely in the tens of millions.
This means mitigation actions like identifying the vulnerable system versions to prioritize patch updates and further isolating them with segmentation techniques need to occur as soon as possible.
Complete protection from Ripple20 requires patching devices running the vulnerable version of the IP stack. However, this is not as easy as it sounds because:
For the reasons above, we recommend the following mitigation strategy using Forescout products:
For more information on how to use Forescout products for Ripple20 risk mitigation, please refer to:
Toll-Free (US): 1-866-377-8771
Tel (Intl): +1-408-213-3191
Support: +1-708-237-6591
Headquarters
190 W Tasman Dr.
San Jose, CA, USA 95134