Treck, a Cincinnati-based software company, launched a small library in 1997 that has been widely used for more than two decades and has been integrated into numerous enterprise and consumer products. Today, however, cybersecurity experts revealed 19 vulnerabilities in the small library, collectively known as Ripple20.
“Hundreds of millions” of devices are estimated to be affected, including smart home devices, power grid equipment, medical systems, industrial equipment, transportation systems, printers, routers, mobile/satellite communications equipment, data center equipment, commercial aircraft equipment, and a variety of enterprise solutions.
And security experts are concerned that because the software supply chain is complex or untracked, it is highly likely that all products using the library will still be patched. The problem is so serious because this small library is not only used directly by the device manufacturer, but is also integrated into other software suites. This means that many companies don’t even know they’re using this particular code, and the vulnerability name doesn’t even appear in their code.
The library enables a lightweight TCP/IP stack. For decades, many companies have been using this library to allow their devices or software to connect to the Internet over A TCP/IP connection.
In September 2019, researchers from JSOF, a cyber security consulting firm in Jerusalem, Israel, revealed the Treck TCP/IP stack. The JSOF team has been working with CERT (Computer Emergency Response Teams) in different countries to coordinate vulnerability disclosure and patching processes.
In an interview withmedia ZDNet last week, the event covered many aspects, such as getting Treck in, making sure Treck patched up on time, then finding all vulnerable devices and reaching out to each affected vendor.
Shlomi Oberman, chief executive of JSOF, told ZDNet that the effort was a success. Oberman praised CERT/CC for playing an important role in coordinating vulnerability disclosure with all affected vendors.
Oberman said that while Treck didn’t admit it at first, it’s now moving aggressively to patch all Ripple20 vulnerabilities.
But JSOF says the identification of all vulnerable devices is not yet complete. The researchers say they named the 19 vulnerabilities Ripple20 not because they started with 20, but because of the ripple effectthey they will have in the Internet of Things in 2020 and in the years to come.