2020-09-07 Ripple20 Impacts on LwIP / Hilscher TCP

TitleRipple20 impacts on LwIP / Hilscher TCP
ReporterCVE-2020-11896/CVE-2020-11898
Hilscher Ticket

Affectsnot affected
Not affectedHilscher TCP, LwIP
ImpactNone
CVSS0
Severity

NONE

Last modified

 

Vulnerability Description

General

This advisory intends to evaluate how Ripple20 affects the TCP stacks used by Hilscher, e.g. Hilscher TCP and LwIP. In short, we can say that no testing tool used by Hilscher for LwIP and Hilscher TCP identified any of the Ripple20 vulnerabilities present inside our used TCP stacks.

Hilscher's Statement on Ripple20

Hilscher devices are not affected by Ripple20 because we do not use this particular TCP/IP stack. Furthermore we have conducted several different tetsts (as can be seen below) to be sure that Ripple20 issue are not present inside our stack.

Short Description of Ripple20

19 Zero-Day Vulnerabilities found in the Treck TCP / IP Stack employed in billions of IOT devices. However we do not use the Treck stack but our own library (Hilscher TCP / IP Stack). The goal heres is to evaluate if we might be affected of some of the Ripple20 vulnerabilities as well.

Detailed Description and Impacts of Ripple20 in general

Please refer to the official JSOF research site in order to get an understanding of the impacts and a detailed description of Ripple20.

Impacts on TCP stacks used by Hilscher (LwIP, Hilscher TCP)

The source codes of Hilscher's TCP stack and the publicly available LwIP stack completely differ from the Treck TCP stack. Thus the probability that same or similar vulnerabilities as included insdie Ripple20 is low.

However in order to verify that we have not overseen anything, we have run different testing tools and the official Ripple20 exploit scripts to show that our stacks are not affected by any of the Ripple20 vulnerabilities.

Statement of LwIP / Hilscher TCP's development team

LwIP's development team does not believe that they could be affected by the security issues found inside Treck's TCP/IP stack. They stated that LwIP originates from completely different sources. Furthermore they added that they are using fuzzers for testing which would have discovered most of issues of Treck's stack as they originated from improper input validation of length and data. The discussion with LwIP's development team can be found under https://savannah.nongnu.org/bugs/?58724.

As Hilscher's testing / development team uses the Achilles test system too for fuzzing and more, we consent with the statements of LwIP's development team.

Tools used for testing the absence of Ripple20 inside LwIP and Hilscher's TCP stack

Achilles Test System

For fuzzing the Achilles test system was used. No anomalies were found especially for the main root causes of the Treck Vulnerabilities, i.e. inproper input validation of length and data. Passing Achilles can be regarded as positive, however the absence of the Ripple20 vulnerabilities cannot be completely confirmed by passing the Achilles test suite.

Nessus Scanner

The initial Nessus scanner that was used for the test gave a false positive meaning that it thought that the Hilscher TCP / IP and LwIP stacks could be vulnerable to Ripple20. An analysis of the test results however gave no hints why Nessus initially marked the Hil TCP stack as possibly vulnerable to Ripple20.

However Nessus has updated its vulnerability scanning scripts for Ripple20 due to some internal errors. After an update of the corresponding plugin ( https://www.tenable.com/plugins/nessus/138615 ) Nessus did not mark the Hil scher TCP stack and LwIP stack as vulnerable anymore and the vulnerabilities that were marked in the plugin before were not present anymore.

Official JSOF Scripts

The research team that initially found the Ripple20 vulnerabilities inside the Ripple20 stack provided test scripts that allow for the detection of possible Ripple20 related vulnerabilities. No Ripple20 related vulnerabilities were found inside our Hilscher TCP stack or the open-source LwIP stack used at Hilscher.

OpenVAS

OpenVAS does provide scripts that allow detecting Ripple20 affected devices, however the currently used free version of OpenVAS does not include the Ripple20 vulnerability checking scripts for free. We would have to wait for the scripts to be included in the free community-feed version of OpenVAS in order to be able to check for the vulnerabilities with OpenVAS.

Disclaimer

The security advisory and information contained herein, are provided on an "as is" basis and do not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. The information in this advisory should not be construed as a commitment by Hilscher. In no event shall Hilscher be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, nor shall Hilscher be liable for incidental or consequential damages arising from use of any software or hardware described in this advisory.
Hilscher provides no warranty, express or implied, for the information contained in this document, and assumes no responsibility for the information contained in this document or for any errors that may appear in this document. Your use of the advisory and information contained herein, or materials linked from the advisory, is at your own risk.  Information in this advisory and any related communications is based on our knowledge at the time of publication and is subject to change without notice. Hilscher reserves the right to change or update advisories at any time.