Ripple20

Ripple20 is a set of vulnerabilities discovered in 2020 in a software library that implemented a TCP/IP stack. The security concerns were discovered by JSOF, which named the collective vulnerabilities for how one company's code became embedded into numerous products. The software library was created around 1997 and had been implemented by many manufacturers of online devices.

Description[edit]

Ripple20 is a set of 19 vulnerabilities discovered in 2020 in a software library developed by the Cincinnati-based^[1] company Treck Inc., which implemented a TCP/IP stack.^[2]

History[edit]

The first release of Treck's library was around 1997.^[1] Treck had also worked with Elmic Systems, which created a fork of the library when the companies ended their collaboration.^[3] In September 2019, JSOF researchers analyzed a device containing code from the library and discovered it had vulnerabilities. Further analysis determined that the code originated from Treck's library, which had been widely implemented by numerous manufacturers.^[3] The disclosure of the vulnerabilities was made in June 2020.^[4]^[5]^[6]^[7] Ripple20 was chosen as the name for the set of vulnerabilities based on the disclosure year and the idea that the problems "rippled" through the supply chain from one company.^[2]^[8] It is difficult to identify all affected devices, because manufacturers may not realize that the library was used in one of their components.^[9]

References[edit]

^ ^a ^b Cimpanu, Catalin (2018-08-21). "Ripple20 vulnerabilities will haunt the IoT landscape for years to come". ZDNet. Retrieved 2020-07-02.
^ ^a ^b Greenberg, Andy (2020-06-16). "Ripple20 Bugs Put Hundreds of Millions of IoT Devices at Risk". WIRED. Retrieved 2020-07-02.
^ ^a ^b "disclosure". jsof-tech.com. Retrieved 2020-07-02.
^ "Ripple20 Threatens Increasingly Connected Medical". Darkreading.com. Retrieved 2020-07-02.
^ "This Week In Security: Bitdefender, Ripple20, Starbucks, And Pwned Passwords". Hackaday. 2020-06-26. Retrieved 2020-07-02.
^ "List of Ripple20 vulnerability advisories, patches, and updates". Bleepingcomputer.com. 2020-06-25. Retrieved 2020-07-02.
^ "Multiple Vulnerabilities in Treck IP Stack Affecting Cisco Products: June 2020". Tools.cisco.com. 2020-06-16. Retrieved 2020-07-02.
^ "Overview". jsof-tech.com. Retrieved 2020-07-02.
^ Gold, Jon. "Ripple20 TCP/IP flaws can be patched but still threaten IoT devices". Network World. Retrieved 2020-07-02.

External links[edit]

"Vulnerability Response Information". treck.com.

[zdnet1-1] Cimpanu, Catalin (2018-08-21). "Ripple20 vulnerabilities will haunt the IoT landscape for years to come". ZDNet. Retrieved 2020-07-02.

[wired1-2] Greenberg, Andy (2020-06-16). "Ripple20 Bugs Put Hundreds of Millions of IoT Devices at Risk". WIRED. Retrieved 2020-07-02.

[jsof-tech1-3] "disclosure". jsof-tech.com. Retrieved 2020-07-02.

[4] "Ripple20 Threatens Increasingly Connected Medical". Darkreading.com. Retrieved 2020-07-02.

[5] "This Week In Security: Bitdefender, Ripple20, Starbucks, And Pwned Passwords". Hackaday. 2020-06-26. Retrieved 2020-07-02.

[6] "List of Ripple20 vulnerability advisories, patches, and updates". Bleepingcomputer.com. 2020-06-25. Retrieved 2020-07-02.

[7] "Multiple Vulnerabilities in Treck IP Stack Affecting Cisco Products: June 2020". Tools.cisco.com. 2020-06-16. Retrieved 2020-07-02.

[8] "Overview". jsof-tech.com. Retrieved 2020-07-02.

[9] Gold, Jon. "Ripple20 TCP/IP flaws can be patched but still threaten IoT devices". Network World. Retrieved 2020-07-02.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]