“Ripple20” Set of Flaws Is Sending Waves of Disturbance in IoT Security

Last updated September 24, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The JSOF research lab has discovered a set of 19 vulnerabilities that they named “Ripple20”, and which affects a huge number of IoT devices deployed in a wide range of industries and applications. The flaws can potentially result in the hacking and takeover of the target devices, stealing of data, behavior change, settings change, planting of malicious code, and many more. The IoT vendors who are affected by “Ripple20” include Intel, Schneider Electric, HP, Rockwell Automation, Caterpillar, Baxter, and possibly many more that are yet to confirm it. The vulnerable devices are deployed in power networks, industrial systems, medical devices, networking, transportation services, home devices, retail, aviation, oil & gas, enterprise systems, and even the government and national security sectors.

The flaws are located in the “Treck IP” network stack software that is designed for deployment in various embedded systems. The Treck IP is plagued by 19 memory management bugs given the following identifiers. Severity scores only included for the highly critical flaws.

So, any device that uses an older version of the Treck IP software is vulnerable to arbitrary code execution, information disclosure, code planting, unauthenticated access, susceptibility to denial of service attacks, and remote code execution. Every flaw of the “Ripple20” set has been identified and addressed through a fixing patch, so the vendors are advised to upgrade to version 6.0.1.67 or later.

One of the main practical problems with the Treck IP library is that two unrelated firms manage separate branches of the software. Treck and Elmic Systems were once working together when the TCP/IP library first appeared in the market two decades ago. As the two split, the dissemination of the software followed separate paths, and the already complicated supply chain became even more tangly.

Downstream users cannot do much other than wait for the update to reach them. Until then, mitigation is your best bet, with the detection and blocking of anomalous IP traffic being a sure way to stay safe. Other than that, you may disable IP tunneling, block IP source routing, enforce TCP inspection, use OSI layer 2 equipment, disable IPv6 multicast, and reject IP fragments.

vendors table

Source: JSOF

As shown in the above diagram, eight vendors have confirmed the vulnerability of their devices, five claim not to be affected, and 66 are still investigating. The majority of these vendors may be vulnerable to the “Ripple20” flaws, so if you’re using their devices, implement mitigatory measures now.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: