Millions of devices, from consumer products like printers and IP cameras to specialized devices used across organizations such as video conferencing systems and industrial control systems, are at risk due to critical vulnerabilities found in an embedded TCP/IP library. Some of the flaws allow for remote code execution over the network and can lead to a full compromise of the affected device.

The vulnerabilities were found by an Israeli company called JSOF that specializes in the security of IoT and embedded devices. They affect a proprietary implementation of network protocols developed by a company called Treck. The researchers found 19 flaws, several of which are rated critical, and have dubbed them Ripple20 because they were reported in 2020 and have a ripple effect across the embedded supply chain.

JSOF worked with researchers from IoT security and visibility firm Forescout to identify potentially affected products by using TCP/IP network signatures in its large knowledgebase of embedded devices. The researchers also worked with ICS-CERT, the critical infrastructure arm of the US Cybersecurity and Infrastructure Security Agency (CISA), to notify and confirm affected products and vendors.

So far, products from 11 vendors have been confirmed as vulnerable, including infusion pumps, printers, UPS systems, networking equipment, point-of-sale devices, IP cameras, video conferencing systems, building automation devices, and ICS devices, but the researchers believe the flaws could impact millions of devices from over 100 vendors.

Memory corruption vulnerabilities

All the vulnerabilities are memory corruption issues that stem from errors in the handling of packets sent over the network using different protocols, including IPv4, ICMPv4, IPv6, IPv6OverIPv4, TCP, UDP, ARP, DHCP, DNS or the Ethernet Link Layer. Two vulnerabilities are rated 10 in the Common Vulnerabilities Scoring System (CVSS), which is the highest possible severity score. One can result in remote code execution and one in an out-of-bounds write. Two other flaws are rated above 9, meaning they’re also critical and can result in remote code execution or the exposure of sensitive information.

Even if rated lower, the remaining vulnerabilities might be serious, as CVSS scores don’t always reflect the risk to actual deployments based on the type of devices. For example, in a critical infrastructure or healthcare setting, a denial-of-service vulnerability that prevents a device from performing its vital function can be seen as critical and could have disastrous consequences.

Source Article