Reduce Risks Associated with Ripple20 (R20)

Ripple20, CVE-2020-11896 – CVE-2020-11914, is a group of 19 exploitable flaws discovered by researchers Moshe Kol and Shlomi Oberman. Both researchers are of an independent security research group, JSOF, in code created by a company named Treck. According to Treck’s website, the firm specializes in “designing, distributing, and supporting real-time embedded internet protocols for worldwide technology leaders.” 

This collection of associated vulnerabilities likely earned its name from two key factors. First– the ‘20’. Simply put, the code library behind it was created roughly twenty years ago. Secondly – the ‘Ripple’ comes from the fact that it is estimated the library containing the vulnerabilities has been licensed for modification and reuse as a dynamic or linked library in the code that runs network and internet-connected devices at a rate that consistently increased year over year. Both the aforementioned factors combined make the moniker apropos in the way it vividly encompasses the associated impact of the vulnerability which is massive and difficult to accurately determine.

According to Carnegie Mellon University Software Engineering Institute CERT Coordination Center’s Vulnerability Note VU#257161, released on 16 June 2020, 

Treck IP network stack software is designed for and used in a variety of embedded systems. The software can be licensed and integrated into various ways, including compiled from source, licensed for modification and reuse, and finally as a dynamic or static linked library. Treck IP software contains multiple vulnerabilities, most of which are caused by memory management bugs. Historically-related KASAGO TCP/IP middleware from Zuken Elmic (formerly Elmic Systems) is also affected by some of these vulnerabilities. These vulnerabilities likely affect industrial control systems and medical devices.

Treck’s website, which has added a page called “Vulnerability Response Information”, has already created patch fixes for the vulnerabilities. They are also working with customers to help determine what devices are impacted by the issues.

The specific impact of these vulnerabilities is dependent on several factors including the build versions and runtime options used in the creation of the device in question. More specifically, many of the impacted manufacturers have presented mitigation solutions to combat Ripple20. Directives for mitigations outlined in the CERT advisory recommend users update their products with patches from Treck. Manufacturers like Schneider Electric, Rockwell, and Caterpillar have created pages that specifically address the Ripple20 vulnerabilities.

To help reduce risks associated with Ripple20 (R20):

• Ensure R20 impacted devices are on isolated networks separate from networks used for regular business and especially ensure they are not accessible from the internet.
• Use dedicated laptops or tablets to perform any activities on the isolated network designated for R20-impacted devices, ensure those laptops/tablets are only used for servicing devices and not general use
• Scan all computing devices and digital media/storage, such as DVD or USB, with Anti-virus before addition to the isolated network or use or interaction with R20-impacted devices
• Control physical access to impacted devices
• Work with your vendors to identify systems impacted by R20 and patch them as soon as possible