* [Blog](https://www2.paloaltonetworks.com/blog) * [Network Security](https://www2.paloaltonetworks.com/blog/network-security/) * How to Identify and Remed... # How to Identify and Remediate the Risks Associated with Ripple20 [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fhow-to-identify-and-remediate-the-risks-associated-with-ripple20%2F) [](https://twitter.com/share?text=How+to+Identify+and+Remediate+the+Risks+Associated+with+Ripple20&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fhow-to-identify-and-remediate-the-risks-associated-with-ripple20%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fhow-to-identify-and-remediate-the-risks-associated-with-ripple20%2F&title=How+to+Identify+and+Remediate+the+Risks+Associated+with+Ripple20&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/network-security/how-to-identify-and-remediate-the-risks-associated-with-ripple20/&ts=markdown) \[\](mailto:?subject=How to Identify and Remediate the Risks Associated with Ripple20) Link copied By [Aveek Das](https://www.paloaltonetworks.com/blog/author/aveek-das/?ts=markdown "Posts by Aveek Das") and [Derick Liang](https://www.paloaltonetworks.com/blog/author/derick-liang/?ts=markdown "Posts by Derick Liang") Oct 30, 2020 7 minutes [IoT](https://www.paloaltonetworks.com/blog/tag/iot/?ts=markdown) [network security](https://www.paloaltonetworks.com/blog/tag/network-security/?ts=markdown) The expanding number of IoT devices, while enhancing business productivity, has created an increasing amount of access points for attackers to exploit. As organizations continue to adopt IoT technologies, it's imperative they employ strict security measures to decrease the attack surface and prevent potential threats. This blog post identifies a series of IoT threats organizations may be exposed to and the proper mitigation strategies they can employ to secure IoT devices and protect sensitive data. Cybersecurity researchers at JSOF recently published a number of zero-day vulnerabilities in the TCP/IP protocol library developed by Treck. This library, which implements a lightweight TCP/IP stack, has been used by multiple vendors as a way of providing internet connectivity across a number of different device types. The collection of threats, given the name [Ripple20](https://www.jsof-tech.com/ripple20/), constitute 19 vulnerabilities that can allow an attacker to execute code remotely, steal data, change behavior, cause malfunctions, and hide malicious code. Four of these vulnerabilities are of critical severity, with CVSS scores above nine. The attacks can be performed over DNS, ICMP, DHCP, IPv6, and ARP. Ripple20 is especially significant due to the number of vendors, devices, and verticals that use the aforementioned library. As per the researchers at JSOF, the vulnerabilities have been named this way to signify the ripple effect they will cause in the IoT landscape over the next several years. ### **Ripple20 Vulnerability Overview** The following table lists the severity and fixed version for each Ripple20 CVE (common vulnerability and exposure): |----------------|----------|---------------------|-----------------------------------|-----------------------| | CVE | Severity | Component Affected | Potential Impact | Fixed Version | | CVE-2020-11896 | Critical | IPv4/UDP | Remote Code Execution | Treck TCP/IP 6.0.1.66 | | CVE-2020-11897 | Critical | IPv6 | Remote Code Execution | Treck TCP/IP 5.0.1.35 | | CVE-2020-11898 | Critical | IPv4/ICMPv4 | Out-of-Bounds Read | Treck TCP/IP 6.0.1.66 | | CVE-2020-11899 | Medium | IPv6 | Out-of-Bounds Read | Treck TCP/IP 6.0.1.66 | | CVE-2020-11900 | High | IPv4 | Use After Free | Treck TCP/IP 6.0.1.41 | | CVE-2020-11901 | Critical | DNS | Remote Code Execution | Treck TCP/IP 6.0.1.66 | | CVE-2020-11902 | High | IPv6/IPv4 | Out-of-Bounds Read | Treck TCP/IP 6.0.1.66 | | CVE-2020-11903 | Medium | DHCP | Exposure of Sensitive Information | Treck TCP/IP 6.0.1.28 | | CVE-2020-11904 | High | Memory Allocation | Out-of-Bounds Write | Treck TCP/IP 6.0.1.66 | | CVE-2020-11905 | Medium | DHCPv6 | Exposure of Sensitive Information | Treck TCP/IP 6.0.1.66 | | CVE-2020-11906 | Medium | Ethernet Link Layer | Integer Underflow | Treck TCP/IP 6.0.1.66 | | CVE-2020-11907 | Medium | TCP | Improper Handling | Treck TCP/IP 6.0.1.66 | | CVE-2020-11908 | Medium | DHCP | Exposure of Sensitive Information | Treck TCP/IP 4.7.1.27 | | CVE-2020-11909 | Medium | IPv4 | Integer Underflow | Treck TCP/IP 6.0.1.66 | | CVE-2020-11910 | Medium | ICMPv4 | Out-of-Bounds Read | Treck TCP/IP 6.0.1.66 | | CVE-2020-11911 | Medium | ICMPv4 | Missing Authorization | Treck TCP/IP 6.0.1.66 | | CVE-2020-11912 | Medium | TCP | Out-of-Bounds Read | Treck TCP/IP 6.0.1.66 | | CVE-2020-11913 | Medium | IPv6 | Out-of-Bounds Read | Treck TCP/IP 6.0.1.66 | | CVE-2020-11914 | Medium | ARP | Out-of-Bounds Read | Treck TCP/IP 6.0.1.66 | The library is currently used by leading vendors like HP, Cisco, Baxter, B. Braun, Schneider Electric, Intel, and Rockwell Automation, and in multiple industries, such as medical, transportation, industrial control, enterprise, retail, and finance. The types of devices affected from this vulnerability range from everyday office devices like printers and access points to specialized devices like infusion pumps and industrial control devices. Since this library not only is used directly by the equipment vendor but also is integrated into various third-party software suites, tracking the presence of this library and patching it would be a challenge for consumers. Vendors have released advisories about specific devices that have been affected by Ripple20. ### **Risk Assessment** The risks that are associated with Ripple20 include: * Attackers taking remote control of an internet-facing device, causing the device not to perform as expected or shutting down the device entirely. * Once attackers have [infiltrated a device](https://www.paloaltonetworks.com/resources/8-stages-of-the-iot-attack-lifecycle.html), they can exploit other vulnerabilities in the library and spread the attack to devices in the same network segment. * An attacker can also gain control over all the devices in a network segment by gaining access to a compromised device in the internal network (like a router). * Sophisticated attacks, like MITM and DNS Cache poisoning, can be potentially performed by the attacker from outside the network boundaries. Customers should ensure their IoT devices do not have any unused ports open, which will limit the entry points available to an attacker. Sensitive devices should [maintain proper network segmentation](https://www.paloaltonetworks.com/resources/infographics/4-steps-to-reducing-iot-ot-security-threats-in-the-enterprise) by not being in the same network as guest devices or devices that have ports open from the internet. Proper network segmentation greatly reduces the attack surface and prevents a vulnerable device from spreading the threat to a larger pool of devices. Social distancing applies to devices too! All of these vulnerabilities are addressed in Treck's TCP/IP library 6.0.1.66 and later. Specific vendors have also been releasing patches with the updated library to ensure the devices are no longer vulnerable. Here's what a customer should do to ensure the devices no longer have the vulnerable library: 1. Check the device inventory to find all possible vendors and devices in the network. 2. Reach out to each individual vendor to determine if the device is vulnerable. 3. Update to the latest firmware patches for all devices (specially for affected vendors). Irrespective of Ripple20, it is best practice to have up-to-date firmware installed. ### **Detection and Remediation** [Palo Alto Networks IoT Security service](https://stage.paloaltonetworks.com/network-security/iot-security) can help pinpoint devices in your inventory that are vulnerable to the above CVEs. Powered by machine learning, our platform will determine the identity of devices down to the type, profile, and model. Vulnerabilities will be discovered based on these identities and displayed within the platform. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/image1-1.png) As various vendors release advisories related to devices affected in their product line, we are monitoring them and adding detections based thereon. Evaluate the impact of the vulnerability by logging in to your IoT Security service, navigating to the vulnerabilities page, and checking if any devices are vulnerable to Ripple20. Palo Alto Networks IoT Security has additional detections in place in case any devices face any further security threats: * When devices with these vulnerabilities are exploited, they will deviate from their normal network behavior. Our patented ML-based anomaly detection will generate alerts based on abnormal behavior (e.g., traffic from new sources, excessive connections, international connections). Victim devices can then be quarantined based on this behavior to stop attacks from spreading to other vulnerable devices in the same network. * Check the devices that the [Palo Alto Networks IoT Security](https://www.paloaltonetworks.com/resources/datasheets/iot-security)service has listed as having confirmed or potential vulnerabilities from the list of the 19 above CVEs. These devices should be patched with Treck TCP/IP 6.0.1.66 (released on 30 March 2020) or higher. * Different vendors and manufacturers that use the Treck libraries are currently researching and releasing firmware that addresses the issues exposed by Ripple20. Please check the respective vendor websites for the updated firmware versions. These firmware releases can also be used to patch your devices. * If you are unable to update your devices, you should take the following steps to minimize risk and keep your network safe: 1. 1. Configure IoT and critical devices to ensure that they are not accessible from the internet. 2. Properly configure your network segments to ensure IoT devices are behind firewalls, isolated from guest and business networks. 3. Block any IoT traffic that has anomalous behavior. For more information on Palo Alto Networks IoT Security, [visit our website](https://www.paloaltonetworks.com/network-security/iot-security). *Aveek Das is a Senior Researcher in Threat Prevention. Derick Liang is a Data Scientist for IoT Security. At Palo Alto Networks, their work focuses on the security and analytics for the IoT Security Platform, mainly machine learning based threat and risk detection for IoT.* *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown) [#### Protect Your Network from IoT Devices By Using Cortex XSOAR and Sepio Systems](https://www2.paloaltonetworks.com/blog/security-operations/security-operations-sepiosystems-xsoar/) ### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown) [#### Network Security: Predictions for 2021](https://www2.paloaltonetworks.com/blog/2021/01/network-security-predictions/) ### [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### Announcing IoT Security: No Organization Is Protected Without It](https://www2.paloaltonetworks.com/blog/2020/06/network-iot-security/) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Predictions](https://www.paloaltonetworks.com/blog/category/predictions/?ts=markdown) [#### 2017 Cybersecurity Predictions: Sure Things and Long Shots](https://www2.paloaltonetworks.com/blog/2017/01/2017-cybersecurity-predictions-sure-things-long-shots/) ### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Strata Network Security Platform](https://www.paloaltonetworks.com/blog/network-security/category/strata-network-security-platform/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown) [#### Palo Alto Networks Leads the Way with Quantum and Multicloud Security](https://www2.paloaltonetworks.com/blog/2025/08/paves-way-for-quantum-ready-security/) ### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown) [#### Reimagine Secure WAN for Harsh Environments with Prisma SD-WAN](https://www2.paloaltonetworks.com/blog/sase/reimagine-secure-wan-for-harsh-environments-with-prisma-sd-wan/) ### Subscribe to Network Security Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language