Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Ripple20 vulnerabilities affect numerous devices, from medical equipment to routers to power grid controllers. Attack tools and publicly-available scripts can help an attacker run a scan for potential targets. Devices that have the Treck TCP/IP network stack installed might be running a vulnerable version, requiring an immediate patch.
Kill Chain
Risk Score
60
Ripple20 refers to a collection of 19 vulnerabilities—some of which are remote code execution (RCE) vulnerabilities—in specific versions of the Treck TCP/IP network stack. To exploit a Ripple20 vulnerability, the attacker must first find devices that run Treck TCP/IP. The attacker sends an ICMP type 165 (0xa5) message, which is similar to a ping, to multiple devices to scan the network. A device that is running a Treck TCP/IP stack responds to the attacker with the ICMP type 166 (0xa6) message. The attacker can now target this device for additional reconnaissance. If the target is running an unpatched version of the Treck TCP/IP network stack before 6.1.0.66, then the attacker can take the next steps to exploit the target.
Install relevant patches for the affected versions or update Treck network stacks to version 6.0.1.67 or higher
Implement network segmentation, security zones, and firewall policies that limit how devices can communicate
Block external connections to internal devices at the network perimeter
