Ripple20 vulnerabilities in IoT supply chains.
Researchers at Israeli cybersecurity firm JSOF have discovered nineteen vulnerabilities in a low-level TCP/IP software library used by "hundreds of millions" of IoT devices. The code was developed by the Ohio-based company Treck and has been integrated into the IoT supply chain since its release in the late '90s. The set of flaws, dubbed "Ripple20," includes four remote code execution vulnerabilities, two of which received CVSS scores of 10. Treck has developed patches for the flaws and urges its customers to contact them for more information, noting that the level of exposure to the vulnerabilities varies greatly from product to product.
The real challenge, however, is the fact that many IoT vendors likely don't know if their products contain the vulnerable code. JSOF collaborated with CERT/CC and the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to track down "as many affected vendors as possible before the vulnerabilities became public," but there are many others whose status is still unknown. The researchers state, "Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries."
CISA and CERT/CC lay out mitigations to minimize the risk of exploitation, and JSOF is offering a script that can help in some cases to determine whether a device is vulnerable. But despite these efforts, ZDNet concludes that the vulnerabilities "will haunt the IoT landscape for years to come."