Hundreds of millions of IoT devices are at risk of remote hijacking due to dangerous security flaws affecting the Treck TCP/IP stack, which is a high-performance TCP/IP protocol suite designed for embedded systems.

According to Israel-based cybersecurity company JSOF, the Treck TCP/IP stack is plagued by a total of 19 vulnerabilities, which are collectively tracked as Ripple20.

The vulnerabilities classified as critical and high-risk could be exploited to achieve remote code execution, perform denial-of-service attacks, and to obtain potentially sensitive information. Exploitation involves sending specially crafted IP packets or DNS requests to the targets, and in some cases it may be possible to launch attacks directly from the internet.

“Ripple20 vulnerabilities are unique both in their widespread effect and impact due to supply chain effect and being vulnerabilities allowing attackers to bypass NAT and firewalls and take control of devices undetected, with no user interaction required. This is due to the vulnerabilities’ being in a low level TCP/IP stack, and the fact that for many of the vulnerabilities, the packets sent are very similar to valid packets, or, in some cases are completely valid packets. This enables the attack pass as legitimate traffic,” JSOF explained.

The researchers say that list of affected vendor includes various companies ranging from one-person boutique shops to Fortune 500 multinational corporations, such as HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries.

Of the 19 vulnerabilities, four received the highest ratings of 10 and 9.8 on the CVSSv3 vulnerability severity scale:

• CVE-2020-11896 (CVSSv3 score: 10) - Improper handling of length parameter inconsistency in IPv4/UDP component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution.

• CVE-2020-11897 (CVSSv3 score: 10) - Improper handling of length parameter inconsistency in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in possible out-of-bounds write.

• CVE-2020-11898 (CVSSv3 score: 9.8) - Improper handling of length parameter inconsistency in IPv4/ICMPv4 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in exposure of sensitive information.

• CVE-2020-11899 (CVSSv3 score: 9.8) - Improper input validation in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information.

At the end of March, Treck released security patches to address the Ripple20 vulnerabilities, but the researchers say that in some cases it’s not possible to install them and users will need to implement measures to mitigate the risk of attacks.

JSOF also pointed out that some of the identified flaws were patched over the years by vendors as part of routine code changes but remained open in some of the affected devices. Furthermore, many of the vulnerabilities have several variants due to the Stack configurability and code changes over the years, the researchers say.