IoT devices at risk of getting hacked due to 19 newly discovered vulnerabilities
Researchers reveal new flaws impacting a TCP/IP found at the base of many IoT products.[1] It means that billions of internet-connected devices are at risk and can get hacked. Particular reports[2] call these zero-day vulnerabilities Ripple20 and states that these flaws can affect hundreds of millions of devices because of the function of the arbitrary code execution on any targeted device.
An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks.
According to these issued advisories[3], the critical security flaws affect billions of internet-connected devices that are manufactured by various vendors across the globe. This group of flaws resides in a low-level TCP/IP software library developed by Treck. If these flaws get exploited by malicious actors, attackers can gain remote access to the targeted device and take control of the machine. Such behavior does not require any user interaction or permissions.[4]
Devices at risk in use across various industries
The affected library exists in devices that are used in industrial fields, power grids, transportation, aviation and government, national security sectors. Since these flaws can get exploited and used against people, the damage may be severe, especially when devices range from home or consumer devices to medical, healthcare, data centers, enterprises, telecommunication, oil, gas, nuclear, transportation, and many others.
The interesting thing about Ripple20 is the incredible extent of its impact, magnified by the supply chain factor. The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain “ripple-effect”. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people.
Experts fear that all the products using this library will remain unpatched due to complex software supply chains. Problems also arise because of the fact that the library was not used by equipment vendors directly.[5] Other software suites also integrated this library, so many companies are not aware that the particular piece of the code is vulnerable, and the issue is not appearing in code manifests.
Some of the Ripple20 software flaws got patched, the risk still there
Treck company revealed that patches are now available for all the Ripple20 flaws, but there are changes in code configurations, so many vulnerabilities have several variants that may not get patched soon until vendors perform comprehensive risk assessments. The name for the group of flaws was given depending on the year 2020 and the ripple effect they can cause in the IoT landscape.
All the flaws in this group have different levels of the CVSS score ranging from 3.1 to 10, based on the potentially caused damage. This is the brief list of the particularly dangerous vulnerabilities:
- CVE-2020-11896. This one can result in remote code execution. Lvl 10.0.
- CVE-2020-11897. This flaw can trigger possible out-of-bounds write.[6] Lvl 10.0.
- CVE-2020-11898. The vulnerability can result in the exposure of valuable data. Lvl 9.8.
- CVE-2020-11899. This flaw when used allows exposure of sensitive information. Lvl 9.8.
- CVE-2020-11900. This is the flaw that can also result in remote code execution. Lvl 9.3.
- CVE-2020-11901. This bug can result in remote code execution on the targeted device. Lvl 9.0.