Mobile News

Researchers Find More Devices, Vendors Vulnerable to Ripple20

Tenable and JSOF identified another 47 devices, some from 34 new vendors, at risk to Ripple20 vulnerabilities, found in the embedded software of the TCP/IP communication stack.

medical device security IoT Ripple20 vulnerabilities patch management disclosures healthcare

By Jessica Davis

- An additional 34 devices have been identified as vulnerable to Ripple20 flaws, which are found in the TCP/IP communication stack software developed by Treck, according to a report from Tenable Research, with guidance from JSOF. 

JSOF was the first to disclose the set of 19 Ripple20 vulnerabilities in June, which impacted millions connected devices, including IoT medical devices. With multiple remote code execution vulnerabilities, Ripple20 is found integrated software designed by Treck, a developer of low-level network protocols for embedded devices. 

The majority of the vulnerabilities are caused by bugs in memory management and “historically related KASAGO TCP/IP middleware from Zuken Elmic (formerly Elmic Systems) is also affected by some of these vulnerabilities.” 

Four of the vulnerabilities are ranked critical, two are listed at the highest severity, and two are ranked 9.0 out of 10. One vulnerability could allow the leak of information and is ranked at 9.1 in severity, while another could give a hacker remote access from outside of the network. 

A successful exploit could also allow an attacker to perform malicious activities, such as data theft and disrupting the devices function. 

JSOF worked with the Department of Homeland Security Cybersecurity and Infrastructure Security Agency to track down and identified the impacted devices and vendors. 

“Treck’s TCP/IP library has been widely adopted by numerous device vendors that have reused and repurposed it for more than two decades,” Tenable researchers explained. “This has resulted in a very complex supply chain problem.” 

“With potentially hundreds of vendors affected, identification and notification were naturally going to be a challenge,” they added. “Each device may have divergent code due to unique implementation necessary for their specific use case and a multitude of configurable compilation options, which could alter how the device might respond to specific network requests.” 

As a result, each device potentially vulnerable to Ripple20 requires a different technique to confirm whether it’s exploitable. 

Following the initial disclosure, Tenable contacted JSOF to partner on identifying impacted devices using several vendor-agnostic approaches. The detection methods were designed to prevent destruction to the scanned assets. 

The researchers have since identified a potential 47 more devices and 34 additional vendors. These were shared with JSOF, which is continuing to work with US-CERT. The impacted vendors were also contacted by JSOF or CERT. Some products are currently being evaluated to determine if they’re indeed affected by Ripple20. Included in the list were components of the GE Healthcare Interlogix TVF-3102. 

Tenable is continuing its research on Ripple20 and compiling a list of potentially impacted devices. The current list is not exhaustive, and researchers anticipate more additional devices will be uncovered in the near future. 

As noted by SecureLink CISO Tony Howlett in July, the devices most at risk to Ripple20 are found in the healthcare sector, most notably its infusion pumps. Given the likely forthcoming patches to remediate the risk and healthcare’s current challenges with patch management, Ripple20 will become a major project for healthcare organizations moving forward. 

“Trying to wrangle those devices is already a big job,” Howlett said at the time. “People are going to have to get more serious about this. It’s already reached paradox levels, as it’s everywhere. If someone gets a foothold onto their network, they can launch other attacks and infect other devices.”  

“Start thinking about IoT as something that needs all of the protection, as many of these IoT devices can’t load endpoint protection outside of what the manufacturer has already installed,” he added. “It’s a public health issue. Hopefully this is a wakeup call before a major disaster, giving us more visibility and getting more people protected.”