Vulnerability Spotlight 3: Ripple20

CVE-2020-11896 and others, aka Ripple20

Continuing the NCSC’s Vulnerability Spotlight series, in which we examine a range of security vulnerabilities disclosed over the past year. Each post gives a high-level overview of a vulnerability, presents our thoughts on its implications, and provides some further reading.


Ripple20 is a series of vulnerabilities discovered in a TCP/IP library that is used by millions of devices, particularly within IoT and industrial control applications. The name refers to the massive propagation of this vulnerability due to the supply chain ripple effect. The affected software library is in use on millions of devices across a range of applications and industries.

Technical Details:

Ripple20 refers to a set of 19 vulnerabilities discovered in the Treck TCP/IP stack. Four of these vulnerabilities received a CVSS score over 9:


  • CVE-2020-11896(external link): This vulnerability is found within the IPv4 tunnelling implementation of the Treck TCP/IP stack. It is a result of a heap overflow software bug that occurs when the TCP/IP stack is fragmenting tunnelling IP packets. It can be exploited using standard heap overflow exploitation techniques. This vulnerability can be leveraged to enable remote code execution on the affected device.
  • CVE-2020-11897(external link): This vulnerability is found within the IPv6 implementation of the TCP/IP stack. It is triggered by sending an affected device malformed IPv6 packets. It can lead to remote code execution on the affected device.
  • CVE-2020-11901(external link): This vulnerability is a result of the way the TCP/IP stack handles DNS requests sent by affected devices. It occurs when a device sends a DNS request outside of the network and receives a malformed packet from a malicious actor. It can lead to remote code execution, which is made more severe by the fact that the malicious actor can conduct this activity while completely outside the victim network.
  • CVE-2020-11898(external link): This vulnerability is found within the ICMP component of the TCP/IP stack. It occurs when a malicious actor sends an affected device a malformed IPv4/ICMP packet. It can lead to a potential disclosure of sensitive information.


The Ripple20 vulnerabilities show that in the complex world of modern IT supply chains, one vulnerable component can have a ripple effect, causing vulnerabilities in numerous different industries and products. In many cases, a product’s end user might not even be aware that they are exposed to the underlying vulnerable component. However, organisations can take a number of steps to address any risks arising out of vulnerabilities in their supply chains and to make themselves more cyber resilient. This brings us to the topic of managing supply chain cyber security risks.

Earlier this year, the NCSC published guidance on supply chain cyber security. This guidance is designed to help business leaders and cyber security professionals better understand and manage the cyber security risks in their supply chains.

You can view this guidance here:

Supply Chain Cyber Security: In Safe Hands

Also in this series:

Vulnerability Spotlight 1: ZeroLogon

Vulnerability Spotlight 2: MobileIron MDM

Further reading:

The JSOF research lab’s overview of Ripple20(external link)