A partnership between Tenable and JSOF continues to uncover additional devices vulnerable to Ripple20.
Update September 9, 2020: The Affected Vendors section has been updated based on feedback from vendors.
On June 16, researchers from JSOF research lab disclosed a set of 19 vulnerabilities, dubbed “Ripple20”, which could impact millions of operational technology (OT), Internet of Things (IoT), and IT devices. The vulnerabilities exist within an embedded TCP/IP software library developed by Treck Inc., a developer of embedded internet protocols. The Tenable Security Response Team first wrote a blog post about the Ripple20 vulnerabilities on the day of its disclosure, which evoked memories of URGENT/11, a group of eleven vulnerabilities in the real-time operating system VxWorks, that were disclosed in 2019.
A Complex Supply Chain
Treck’s TCP/IP library has been widely adopted by numerous device vendors that have reused and repurposed it for more than two decades. This includes a split-off library known as Kasago, now managed by Elmic Systems as well as many rebranded names for the library such as QuadNet, GHNet V2, Net+ OS, KwikNet and others. This has resulted in a very complex supply chain problem. JSOF worked closely with multiple vendors and agencies including the CERT Coordination Center (CERT/CC) and the Cybersecurity and Infrastructure Security Agency (CISA) to help track down and notify vendors about these vulnerabilities. With potentially hundreds of vendors affected, identification and notification was naturally going to be a challenge. Adding to this complexity is the fact that each device may have divergent code due to unique implementation necessary for their specific use case and a multitude of configurable compilation options, which could alter how the device might respond to specific network requests. Because of this, each potentially vulnerable device requires a different method to confirm exploitability.
More Vulnerable Devices Identified by Tenable
When the Ripple20 advisory was published, Tenable Research contacted JSOF to collaborate on the discovery of affected devices. During the initial disclosure, several vendors had been notified, and many were evaluating their product lines to determine if any devices they offered were affected. Because of the myriad ways in which vendors likely repurposed the Treck library, identification, correction, and patch availability will require an extensive amount of time. In some cases, device vendors may no longer be in business, meaning those affected devices will not receive patches or support.
With guidance from JSOF on various detection methods, the Tenable Research team was able to help identify 34 additional vendors and 47 additional devices that were potentially affected. The findings were reported to JSOF who continues to work with CERT/CC on the disclosure process with the affected vendors.
Tenable has adopted multiple vendor-agnostic approaches to detecting the Treck stack while trying to ensure the detection methods used are not destructive to the assets being scanned. Using multiple approaches for detection, helps enhance Tenable's ability to provide coverage for the diverse Treck libraries used by various devices. The vendors in the following list have been contacted by JSOF or CERT/CC, in cooperation with other CERT entities including CERT-IL. In some cases, the products below may still be under evaluation to determine if they may be affected. It’s important to note that this is not an exhaustive list and we anticipate uncovering additional devices that may be affected, which we will determine as our testing efforts continue.
* Note: At the time this blog was published, IBM has not confirmed if WebSphere DataPower is affected, but has provided a list of storage devices not affected by Ripple20.
** Note: After a thorough analysis, Dell has confirmed to Tenable that iDRAC is not vulnerable to Ripple20.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities can be found here and will be updated as additional plugins are released. Additionally, several plugins to identify the Treck and Kasago Network stacks have been released and can be found here.
Tenable.ot customers should contact their CSM to get access to Suricata rules that can be used for detection. These rules will be fully integrated in the next service pack of the current release and later versions.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.