Security researchers have discovered nineteen distinct security vulnerabilities in code designed upwards of 20 years ago, reportedly present in hundreds of millions of internet-connected devices.
The vulnerabilities were discovered by Israeli security firm JSOF and are found in a popular code library developed by Canada-based software company Treck. The code is designed to manage the TCP-IP protocol, which is responsible for connecting a device with a network, whether local or public.
Treck’s code is present in all manner of connected devices, including routers, printers, smart home devices, datacenter and powergrid equipment, commercial aircraft, satellite communications kit and a range of business software.
According to the researchers, the flaws could allow hackers to execute code on a target device, or even disable it entirely. Given the range of devices that utilize the Treck code library, the risk of exploitation is considerable.
Ripple 20 vulnerabilities
The nineteen bugs have been collectively termed Ripple20, named after the mechanism by which they found their way into so vast a range of equipment, across such a breadth of industries.
“Not that many people have heard of this company, but they are a leading provider of TCP-IP stacks, so they’re at the beginning of a really complex supply chain,” said Schlomi Oberman, JSOF CEO.
“The vulnerabilities in the stack got amplified by the ripple effect of the supply chain, so that they exist in pretty much any type of connected device.”
This “ripple” effect has also given rise to concerns that many affected devices might never be identified – and will therefore remain vulnerable.
Accordingly to Oberman, while a number of the vulnerabilities pose a less distinct threat, a handful could be used to cause serious damage.
The US Department of Homeland has verified his claims, scoring four of the Ripple20 vulnerabilities either 9.8 or 10 on the severity scale (which slides from 1 to 10) in an advisory published today.
If abused, these four flaws could allow botnet operators or individual attackers to hijack affected devices and equipment, which could have particularly significant consequences in the industrial and healthcare sectors, for example.
Despite initial hesitance to engage with JSOF, Treck has now acknowledged the bugs and published patches for all Ripple20 vulnerabilities.
“We’ve recently been made aware of an independent security researcher’s work that resulted in the the reporting of a group of vulnerabilities, of which Treck acted upon immediately,” said Treck.
“Treck has fixed all issues that were reported and made them available to our customers either through our newest code release, or patches.”
Companies are advised to test for the presence of Ripple20 vulnerabilities immediately, prioritizing the four most critical.