Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Ripple20 vulnerabilities affect numerous types of devices, from medical equipment and routers to power grid controllers. Public information describes how an unauthenticated attacker can exploit Ripple20 DNS vulnerabilities to run arbitrary code on a device with Treck TCP/IP installed. If an attacker can successfully exploit these vulnerabilities, they can gain complete control of a device.
Kill Chain
Risk Score
88
The DNS resolver in the Treck TCP/IP network stack has multiple vulnerabilities that enable remote code execution (RCE). To exploit these vulnerabilities, an attacker first looks for DNS queries sent from a potential Ripple20 victim, and then quickly answers the query with a malicious DNS record, such as a Canonical Name (CNAME), Mail Exchange (MX), or Pointer (PTR) record. The record contains a pointer offset value (which is part of the normal DNS compression schema) that is modified to cause errors when decompressing the payload. The payload size is incorrectly calculated by the DNS resolver, which results in allocating too little memory (on the heap memory of the victim) to process the DNS response. When data is copied into the buffer, a heap-based overflow occurs. The attacker can now run arbitrary code on the victim device.
