Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Ripple20 vulnerabilities affect numerous devices, from medical equipment and routers to power grid controllers. An attacker must create a specially-designed packet for this sophisticated attack. A successful exploit can result in an information leak and ultimately give the remote attacker complete control of a device through remote code execution (RCE).
Kill Chain
Risk Score
92
Ripple20 refers to a collection of 19 vulnerabilities in specific versions of the Treck TCP/IP network stack. An attacker exploits Ripple20 IP-in-IP vulnerabilities by sending specially-designed IP-in-IP messages where the inner packet length is less than the actual packet length, and the outer IPv4 packet is fragmented. When the network stack reassembles the fragmented outer IP layer of the message, insufficient memory is allocated for the actual size of the inner packet, and the buffer overflows on the victim device. With CVE-2020-11896, an attacker might target an open UDP port on the device and flood the device with UDP packets before sending the malformed IP-in-IP packet, which induces a buffer overflow that can enable remote code execution. With CVE-2020-11898, an attacker might include an unsupported IPv4 protocol number such as 0 in the inner IP packet. The network stack responds with an ICMP error message that includes some of the data from the malformed inner packet. Because the network stack does not calculate the correct size of the packet, the ICMP response leaks data that the attacker can leverage for future attacks.
Install relevant patches for affected software versions
Block traffic with a protocol value of 4 (IP in IP) at the network perimeter
Implement network segmentation, security zones, and firewall policies that limit how devices can communicate
Configure firewalls to block outbound ICMP traffic to external endpoints
