On June 16, 2020, security researchers from JSOF disclosed a series of zero-day vulnerabilities in a widely used TCP/IP software library developed by Treck, Inc. The disclosure dubbed Ripple20, includes 19 vulnerabilities said to affect hundreds of millions of devices. According to their website, Treck has been designing, distributing and supporting real-time embedded internet protocols for worldwide technology leaders since 1997. Treck’s libraries have been widely adopted and embedded in devices from many major and smaller manufacturers which JSOF highlights in their research as “including HP, Schneider Electric, Intel,  Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries.”

Armis Insight and Perspective

We wanted to provide some insight from Armis in response to inquiries we have received, given how this disclosure, based on low level TCP/IP exposures, is similar to Armis’ disclosure of URGENT/11 last year, which impacted several Real Time Operating Systems (RTOS). Our original disclosure in July 2020 focused on VxWorks®, which is used by over 2 billion devices including critical industrial, medical and enterprise devices. Through follow-on efforts we made a second, expanded disclosure in Oct. 2020, as the Armis research team discovered that the vulnerabilities extended beyond VxWorks to also include six additional RTOS that supported the same IPnet TCP/IP stack. That second disclosure was in coordination with the FDA and DHS advisories for medical and ICS devices.

Combined with URGENT/11, the Ripple20 disclosure highlights that companies need to not only look at the security issues of new connected devices, but legacy devices with embedded risks, such as we have seen here in older TCP/IP stacks. This reinforces the need for security researchers to continue to identify these low level flaws as the list of companies and devices impacted by similar vulnerabilities is extensive and covers a broad spectrum of industries. Based on the devices identified in URGENT/11 and Ripple20, these exposures highlight risks to manufacturing, supply chain, retail, and corporate offices.

Security Challenges in the Embedded Systems Software Supply Chain

As with URGENT/11, Ripple20 is a set of vulnerabilities that affect a specific software library that enables a device to communicate over networks. Of the 19 vulnerabilities that were disclosed, two have been assigned critical CVSS scores of 10 and four others assigned with scores between 7 and 10. There is a high potential for impact if successfully exploited in an enterprise environment. Treck has issued Vulnerability Response Information for their customers, and it is expected that major manufacturers will develop and release patches for their customers. However, as we have seen, manufacturers large and small may have challenges developing patches due to complexity, lack of internal capabilities to develop such updates, etc. Even where patches are issued, the lifespan of this TCP/IP stack means that, as with IPnet and URGENT/11, these exposures are widespread and will be difficult if not impossible to patch for a multitude of reasons, such as:

• Devices are aged, and may no longer be supported by the manufacturer
• The manufacturer may no longer have a support agreement with their OS or library vendor
• Patching requires physical interaction with the device
• No standard, centralized or efficient means of updating many of the impacted devices
• Some of the impacted devices are in mission critical applications and cannot be updated safely

Additional Potentially Impacted Vendors and Devices

Current # of impacted companies, and new companies potentially impacted, identified by Armis.

JSOF currently identifies impacted vendors of Ripple20 in their report.

A list of Ripple20 vulnerability advisories, patches, and updates is available on BleepingComputer.

The CERT Coordination Center lists 65 vendors potentially at risk with 18 highlighted as ‘Affected,’ spanning consumer and enterprise devices across all industries. The fact is with the growing number of new connected and unmanaged devices, there are hundreds of millions – if not billions – of legacy connected devices that are potentially at risk and need to be secured.

Armis has the ability to passively identify the underlying TCP/IP stack used by devices providing visibility into impacted devices that most other security vendors can’t. That is how we detected devices impacted by URGENT/11, even when those devices weren’t using VxWorks, and even before their vendor had identified itself as being vulnerable to URGENT/11. This led to the discovery of additional vulnerable devices which revealed the exposure of additional RTOSs. Similarly, Armis can identify devices running the exposed TCP/IP software library by Treck. 

Using the Armis Agentless Device Security platform, we have been able to identify 17 additional companies and device types that use the Treck TCP/IP stack and could be at risk. At this time, we do not know if they are specifically impacted. They are:

It’s important to note that these vendors were identified using sample data from the Armis Agentless Device Security platform from the past two weeks, so this isn’t necessarily a complete list of vendors that use the Treck TCP/IP stack which might be at risk from the Ripple20 vulnerabilities.

However, to illustrate the potential impact of just one device category, let’s take a look at payment terminals. Verifone, is one of the market leaders in this category, and their devices represent 45% of all connected payment terminal devices in the Armis Device Knowledgebase. In April 2018, Verifone was taken private, and at the time stated that they had a growing footprint of more than 30 million payment devices in more than 150 countries. According to P&S Intelligence, a provider of market research, the global market for mobile payment terminals is projected to grow 17.9% CAGR between 2020 and 2030. If you assume Verifone had a modest unit growth rate of 15% CAGR from 2018 until now, then there could be as many as 40 million of these devices in the market today. Given that payment terminals have been noted as recently as November by Krebs on Security that resulted in the sale of 4 million stolen cards and tied to breaches at several restaurant chains, we were alarmed to note one of the industry’s largest providers of payment terminals was amongst those vendors that we have identified.

With this type of potential impact, quickly identifying any vendors that may be at risk, and getting a full scope of impacted devices, as soon as possible, is key for all players involved — security vendors, device manufacturers, software vendors.

How Armis Identifies Ripple20 Vulnerabilities and Attacks

Armis is purpose-built for this new age of unmanaged devices – whether a brand new device used in a hospital to a legacy device with a vulnerable TCP/IP stack in a power plant. Without deploying any agents, we can passively identify devices on your network, including the following:

• Device name
• Device category
• Device type
• Device model
• Device brand
• IP address
• MAC address
• Device manufacturer & reputation 
• Application & version number 

These are just a few of the items we can identify. For a more complete list, please click here. However, it was our ability to passively identify the underlying TCP/IP stack used by each device that allowed us to detect those impacted by URGENT/11 as well as other vulnerable devices which exposed the additional RTOSs. Specifically, in the same way we were able to identify devices with the vulnerable IPnet stack regardless of RTOS, we can identify devices running the exposed TCP/IP software library developed by Treck. We are already in the process of providing new queries to our customers who wish to conduct their own review of their potential exposure using the Armis platform. 

Armis allows security and IT professionals to run simple queries in our console to identify devices with Treck as their TCP/IP stack.

You can run simple queries to identify impacted devices.

The results identify devices, along with risk scores, allowing you to drill into each device to get more information.

Example of the risk score of a device vulnerable to Ripple20.

Beyond identifying impacted devices and risk factors, Armis is able to see and stop active attacks – whether that be a Ripple20 exploit or more prevalent ransomware. Because we track the behavior and interactions of devices, we can detect anomalies in those behavior patterns. In light of the announcement of Ripple20, Armis has also added those signatures to our Threat Detection engine. 

To learn more about Armis Threat Detection, download this solution brief.

If you would like to request a demo of how we identify RIpple20, please click here.