IoT security under threat from supply chain effect

IoT security under threat from supply chain effect

Ripple20 is the name that has been given to a set of security holes that can potentially affect hundreds of millions of connected objects using a software library. Experts from an Israeli cybersecurity consulting firm said the vulnerabilities affected a TCP/IP library designed by the US software company Treck in the 1990s.

This library is sold by the American publisher in source code format. The software library can then be used according to the needs of the owners and can be used in conjunction with other brands. As the number of applications increase, it becomes more and more difficult to keep track the applications and security flaws.

On the CVSSv3 scale, 4 of the 19 flaws identified are considered to be critical. Of these 4 critical errors, 2 of the 4 were identified as having the worst possible rating of 10/10 in terms of critical errors.

One of the critcal errors, CVE-2020-11896, is related to an IPv4 tunneling issue. This error, which poses a risk of remote code execution, was corrected by Treck in version 6.0.1.66 of its library. The other, CVE-2020-11987, comes from a concern in IPv6 management. The most serious consequence of this error if untreated is possible memory corruption.

However the researchers claim that these two vulnerabilities are not the most critical problem despite their rating as special attention should be paid to the CVE-2020-11901 error. This error which carries a 9/10 risk rating but is potentially more dangerous as it manipulates responses to DNS queries from targeted systems, thus posing a risk of remote code execution.

From August 1 to 6, a report dedicated to this flaw will be presented at Black Hat USA. The PoC (proof of concept) will be performed on a Schneider Electric inverter. At least seven other suppliers are affected, in addition to Schneider Electric.

At the moment users are recommended to update the library to version 6.0.1.67 as the best remedy to these possible critical errors. Other solutions include traffic filtering measures such as forcing TCP inspection or deactivating DHCP if static IPs can be used as well as blocking IPv6 multicasts.