Attacker Value
(2 users assessed)
Very Low
(2 users assessed)
User Interaction
Privileges Required
Attack Vector

Ripple20 Treck TCP/IP Stack Vulnerabilities

Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.


Treck IP stack implementations for embedded systems are affected by multiple vulnerabilities. This set of vulnerabilities was researched and reported by JSOF, who calls them Ripple20. A summary of JSOF’s research is here, along with a technical whitepaper. See the Rapid7 Analysis tab for further details.

Add Assessment

Technical Analysis

CVE-2020-11899 (one of the Ripple20 bugs) has now been reported as exploited in the wild as per, No evidence that other bugs have been exploited though as of the time of writing.

General Information

Exploited in the Wild

Reported by:
Technical Analysis

Description: On Tuesday, June 16, security firm JSOF published research on a collection of 19 vulnerabilities in a low-level TCP/IP software library developed by Treck, a company that has distributed embedded Internet protocols since the 1990s. The Treck TCP/IP stack is widely used across real-time operating systems and embedded and IoT devices; according to the researchers, the 19 vulnerabilities “affect hundreds of millions of devices (or more),” thanks to the ripple effect of the supply chain. JSOF named the collective set of bugs “Ripple20.”

A summary of JSOF’s research is here, along with a technical whitepaper.

Affected protocols include:

  • IPv4
  • IPv6
  • UDP
  • DNS
  • DHCP
  • TCP
  • ICMPv4
  • ARP

The 19 vulnerabilities are not equal in their severity and potential impact. JSOF’s researchers have highlighted four vulnerabilities as having potential for remote exploitation:

  • CVE-2020-11896: Improper handling of length parameter inconsistency in IPv4/UDP component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution. (CVSSv3 score: 10)
  • CVE-2020-11897: Improper handling of length parameter inconsistency in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in possible out-of-bounds write. (CVSSv3 score: 10)
  • CVE-2020-11898: Improper handling of length parameter inconsistency in IPv4/ICMPv4 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in exposure of sensitive information. (CVSSv3 score: 9.8)
  • CVE-2020-11899: Improper input validation in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information. (CVSSv3 score: 9.8)

Rapid7 Analysis: The Ripple20 vulnerabilities are likely to persist for quite some time. Due to the vulnerable library’s low-level integration and wide reach, it is probable that many device vendors may not supply patches at all, especially for obsolete or unsupported devices. That said, the practical attacker value of this suite of vulnerabilities is, on the whole, relatively low. This is in large part because of the lack of attack scalability: Each attack will, in all likelihood, need to be tailor-made for the target device, and even the value of targeting specific devices is heavily dependent on device capabilities and the context in which that device is used. An industrial control device, for instance, is undoubtedly a higher-value target for an attacker than a toy that may be affected by the same vulnerability. The Treck TCP/IP stack is geared towards low-resource devices, which makes the Ripple20 vulnerabilities significantly less likely to be targeted in resource-heavy attacks such as crypto-mining or ransomware campaigns.

There are no known public exploits or reports of active exploitation as of Wednesday, June 17, 2020.

Guidance: As a general rule, users are best served by applying detections at the edge and internal network level to filter out malformed TCP/IP packets, IP fragments, and other lesser-used networking features where possible. A set of rules and guidance for filtering and detecting this traffic is available from the CERT CC Github repository.

Treck has recommended that vendors integrating Treck TCP/IP reach out to them to obtain fixes, which are available in Treck TCP/IP or later versions. Customers and end users will need to obtain fixes from their vendor rather than from Treck directly. A number of vendors, including Schneider Electric, Caterpillar, and Rockwell (among others), have reportedly published advisories of their own. If you are a customer of one of the affected vendors, you may want to monitor their public and customer communications for updates.

CISA recommends the following general measures to mitigate risk of exploitation:

  • Minimize network exposure for control system devices and systems; ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • Use an internal DNS server that performs DNS-over-HTTPS for lookups.

Project Sonar Analysis

We have made an initial observation with Project Sonar that certain implementations of the Treck HTTP server respond with a Server header of $ProjectRevision: <version>$, which may correlate with the Treck TCP/IP stack version. Due to the customization possibilities in different products, this may not be a reliable fingerprint, but initial results show these results across a recent Sonar survey of HTTP servers:

 625 "$ProjectRevision: $"
 235 "$ProjectRevision: $"
 102 "$ProjectRevision: $"
  41 "$ProjectRevision: $"
  34 "$ProjectRevision: $"
  31 "$ProjectRevision: $"
  23 "$ProjectRevision: $"
  23 "$ProjectRevision: 4.2 $"
  16 "$ProjectRevision: $"
  11 "$ProjectRevision: $"
   6 "$ProjectRevision: $"
   4 "$ProjectRevision: $"
   4 "$ProjectRevision: $"
   2 "$ProjectRevision: $"
   1 "$ProjectRevision: $"
   1 "$ProjectRevision: $"
   1 "$ProjectRevision: $"
   1 "$ProjectRevision: $"

The top HTML titles returned by these targets are as follows, which appear to correlate with the kinds of devices that would be in the target market segment for the Treck TCP/IP stack.

  72 HP Color LaserJet 2600n
  41 HP LaserJet P2035n
  30 PowerMonitor 1000
  26 HP LaserJet 1022n
  23 Loading Cisco Interface...
  14 HP LaserJet P1505n
  13 HP LaserJet Professional M1212nf MFP
  12 HP LaserJet Professional P1102w
  11 401 Unauthorized
  10 Eaton ePDU G3
   8 HP LaserJet Professional P1606dn
   7 HP LaserJet M1120n MFP
   4 SiteSage Gateway Sign-In
   3 HP LaserJet 1022nw
   3 Eaton - ePDU
   2 HP LaserJet P2014n
   1 TotalAlert Embedded System
   1 PowerMonitor 5000
   1 Inicio
   1 HP LaserJet Professional M1213nf MFP
   1 Eaton - ePDU Network Management Card
   1 ACUIX IP Login Page
   1 1734-AENT/B 100 Mb Ethernet Module