Ripple20: Dealing with the turncoat Treck stack

Jeff Costlow
Jeff Costlow

Jeff Costlow, CISO, ExtraHop, discusses the series of 19 vulnerabilities found embedded in many devices worldwide and how insecure components can lead to insecure products

In network security, the past can come back at you hard. In few places is that clearer than the recent Ripple20 revelations, a series of 19 vulnerabilities found in the Treck TCP/IP software stack which—researchers say—have worked their way into hundreds of millions of embedded devices worldwide over the past couple decades.

The disclosed vulnerabilities range from the moderately dangerous to the very serious indeed. Several have extremely high CVE scores running between 9.8 and 10—the highest possible rating—and can allow remote code execution on affected devices or data to leak from them.

The Treck software library was first released in 1997 and since been used in the development of all manner of software suites and embedded devices across a large swath of industries.

After all this time, it was only in September of 2019 that the researchers at JSOF, an Israeli cybersecurity consultancy, discovered the vulnerabilities in Treck’s code. JSOF responsibly disclosed their findings in June 2020 to provide Treck, and the manufacturers who embedded the code, time to develop patches.

The headliner is that JSOF found that the Treck software had “rippled” out to multiple manufacturers who went on to write code and manufacture devices using the Treck library. Those vulnerabilities were then dispersed throughout supply chains across the world over the past two decades. 

Researchers estimate that the Treck vulnerabilities have made their way into hundreds of millions of products and IoT devices including within critical national infrastructure, the industrial sector, the healthcare sector, offices, transportation systems, communications equipment, the aviation industry and other safety-critical sectors.

There were 19 Treck vulnerabilities that had been discovered at the time of public disclosure. JSOF is not yet done in their investigation, so it’s entirely possible that there are more vulnerabilities yet to be discovered.

A poisoned river

This news is fulfilling the prophecy that security practitioners have warned of for years. When organisations unknowingly build with insecure components, they unfortunately build that insecurity into the products. No one is doing this on purpose of course but it does highlight the need for greater oversight of devices on the network.

Ripple20 is not the first instance of its kind. In June 2019, researchers revealed Urgent11—a series of vulnerabilities that had also been present for years in a widely used TCP/IP stack and were present in devices around the world.

While offering many advantages to the business, IoT has been fraught with security problems. Some manufacturers have historically forgone security considerations to get products to market. The construction of an insecure device is often not down to one manufacturer, but an entire supply chain of potentially insecure components and potential points of failure.

While there is much made of insecure connected doorbells and toys, the dangers become particularly pressing when talking about the kinds of devices the Treck stack can be found in: industrial devices, hospital equipment, critical national infrastructure and sectors where those devices could threaten human life. The fear that hackers can now reach out of the digital world to harm people in the physical realm is a real danger and one that Ripple20 has just brought closer.

The breakwater

So what does that mean for your average enterprise? It’s hard to say, given the number of devices where the library might be present. While Treck has issued patches, the vulnerabilities are buried deep. Given the years of dispersion, it is not a simple task to find devices that are potentially vulnerable. Adding to the problem, many manufacturers, if they are still in business, do not know—and have not announced—whether they used the Treck software in their devices.

Removing or patching the culprit devices may work in some cases, but it’s going to be an ongoing gift that keeps giving.

Many organisations will not prioritise this problem as it will take manpower to uncover vulnerable devices. Many security practitioners are already overloaded with their day to day tasks and they don’t have the time or the proper tools to uncover their enemies that are already inside the castle and possibly have been for quite a while.

Perimeter security is an important part of any security posture, but Ripple20 has left the door open for adversaries to find their way into the network. Because of the difficulty in uncovering the vulnerability, it’s also giving would be attackers a place to hang out on the network undetected. If an enterprise has neglected the interior of a network—represented by the east-west internal traffic corridor—they are at a great disadvantage, especially when it comes to Ripple20.

Visibility is the first key to uncovering vulnerabilities in your environment. Visibility into what devices are connected to your network and visibility into who is talking to who, be it north-south or east-west communications. Behavioral analysis is needed to understand how your network should function to detect when something anomalous has taken place. In the case of the Ripple20 CVEs, that could mean understanding when it’s your vulnerability scans that are running and when it could be a malicious actor running those scans.

Attackers will be actively scanning networks looking for exposed devices. While firewalls can address scans coming from outside of the network, they won’t be able to detect internal reconnaissance.

Network data is key to providing the visibility that you need to understand your network. Network data provides that ground source of truth that can’t be evaded or tampered with by bad actors.  Adding Network Detection and Response (NDR) into your security defenses can also make your EDR and SIEM more effective.

NDR provides 100% visibility into what is connected to the network to detect that internal reconnaissance and privilege escalation along the east-west traffic corridor. NDR uses machine learning to understand the behaviors of the network, its users, and applications to detect attacks before they result in a breach of your network.

Continuous and thorough visibility of the communication of devices on your network and the ability to understand the behaviour of devices will go a long way to stopping Ripple20 threats in their tracks. As long as an attacker’s behaviour can be detected, then the threat of a rogue vulnerability is vastly mitigated.

Ripple20 is a wave that has been silently building for years. Without a doubt, it is a serious problem which will affect untold numbers of enterprises and has already affected hundreds of millions of devices around the world. Although we’ve yet to see a proof-of-concept exploit for the Ripple20 vulnerabilities, enterprises can get ahead of it by enabling internal visibility into their environments and carefully monitoring their devices and networks for Ripple20 threats.


Share this article on Twitter or LinkedIn.

See more news here.

Subscribe to our newsletter

Don't miss new updates on your email