Earlier this week, cybersecurity researchers at JSOF disclosed a set of 19 zero-day vulnerabilities, collectively known as Ripple20, present within a low-level TCP/IP software library used by hundreds of millions of devices, including numerous operational technology (OT) devices. The published vulnerabilities could allow an adversary to conduct denial-of-service attacks, and may possibly allow for remote code execution on affected devices.
Claroty assisted the research team at JSOF by providing consulting services and offering access to our extensive industrial control systems (ICS) lab environment, thus supporting efforts to map out which devices are susceptible to the Ripple20 vulnerabilities. To assist in the mitigation of these vulnerabilities, Claroty is the process of issuing a threat bundle, which will include signatures and CVE correlations based on all available vendor advisories.
The disclosed vulnerabilities affect the network stack of devices using the Treck embedded IP stack, much like the Urgent/11 vulnerabilities disclosed last year. And since this kind of attack is affecting the basic communication libraries on vulnerable devices, authentication is usually not required.
The full scope of products affected by the Ripple20 vulnerabilities is not yet clear, and public disclosures from the different vendors are expected in the coming weeks. According to JSOF, affected vendors range from small boutique shops to major corporations including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter, among others. More broadly, JSOF identifies the industrial, medical, retail, transportation, oil and gas, aviation, and government sectors as particularly vulnerable to the Ripple20 vulnerabilities, in addition to power grids, home appliances, networking devices, and other IoT-connected devices.
The following advisories have been issued for Ripple20:
Vendor advisories: Intel, HP, Schneider Electric, Caterpillar, B.Braun, Green Hills, Rockwell Automation, Cisco
The Claroty team will continue to monitor the situation, and when necessary, provide updates as new information becomes available. For more information about risk evaluation and mitigations, click here.
A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 5.8
A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 6.8
A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 5.8
A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 7.5
A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 8.1
