Ripple20 Vulnerabilities

Impacting Millions of Connected Devices, Medical Equipment, Industrial Control systems, Countless IOT devices, and Even Widely Used in Home Automation Devices.

By Ashish Shah, Enterprise Architect

We don’t typically write blog posts that are simply a list of resources and links, but in this case, we are making an exception to quickly educate our client base and call attention to a series of recently identified critical cybersecurity vulnerabilities that are going to be challenging to remediate quickly. This series of critical vulnerabilities was passed on to Dasher by one client of ours while working on a joint project to firm up their security posture.

In mid-June, 2020 cybersecurity researchers unearthed 19 zero-day vulnerabilities in a small TCP/IP protocol library designed in the 90s by Treck Inc. This library – on account of its smaller footprint, excellent performance and stability – has been widely used and integrated into countless enterprise and consumer-grade products over the last 20+ years.

Security researchers from the Israeli cybersecurity organization JSOF discovered the vulnerabilities and called them Ripple20 considering the supply chain ripple effect. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people. Scroll down and expand the list on this page of the Carnegie Mellon University website as it has a list of the affected, not affected and unknown status companies that may have impacted products. The companies provide a wide array of both business (servers, networking devices and facilities solutions) and home IT related (such as printers and laptops) solutions.

Impact:

There were four vulnerabilities ranked as critical. Two vulnerabilities (CVE-020-11897/CVE-2020-11896) have the largest severity rating of 10 out of 10 while the other critical vulnerabilities received a rating of 9.1 (CVE-2020-11898) and 9.0 (CVE-2020-11901). The first three vulnerabilities can permit remote code execution while the other vulnerability can cause the exposure of sensitive data.

These high-risk vulnerabilities could allow an attacker to infiltrate networks from the outside, to perform a host of malicious activities such as stealing data, to negatively impact the functionality of an industrial control device, or to cause a connected device (like a light switch) to malfunction. The exploitation of these vulnerabilities could also allow attackers to perform remote code execution, to launch denial-of-service (DoS) attacks, and to obtain potentially sensitive information.

Overall, a majority of sectors could be impacted by these device flaws, including the government, utilities, hospitals and national security sectors. The full impact of these flaws is hard to calculate given some of the impacted vendors also distribute software based on Treck’s design.

Vendor Information and Status

A list of vendors from the U.S. CERT Coordination Center (CERT/CC) shows more than two dozen companies with products that have an “unknown” status for Ripple20 impact. IT administrators can use this status page to keep track of vendors that may be deployed in their businesses.

Solution:

In lieu of the lack of an immediate vulnerability patch, coupled with how widely the vulnerable library is distributed, below is the current recommendation of industry experts:

“The best strategy is to implement compensating controls such as network segmentation to make it harder for adversaries to connect to these devices, plus Network Traffic Analysis (NTA) with Security Orchestration, Automation, and Response (SOAR) to quickly spot anomalous behavior—and stop it—before bad actors can cause a safety incident, shut down production, or steal intellectual property.”

Of course, this is going to be a very tedious task for the medical equipment and industrial control devices. Many may have legacy firmware that is out of support. Dasher can certainly help provide technical expertise as well as resources to help. In addition to this, clients can also look to companies like Palo Alto Networks to invest in a SOAR or NTA solution if they don’t already have them.

In summary, here are few things that our clients can do in near term to protect themselves while they work on a larger strategy:

  1. Apply Vendor Released Security Updates and Patches

Treck has issued a patch for use by OEMs in the latest Treck stack version (6.0.1.67 or higher).

In addition to advisories from ICS-CERT and CERT/CC. Tech giants like Aruba, Intel, HPE, Schneider Electric, Caterpillar, B.Braun, Green Hills, Rockwell Automation, and Cisco have also released their advisories and related patches. Not all patches are available. But whatever are, we strongly recommend installing these security updates without any delay.

  1. Implement Network Traffic Analyzer (NTA) to
    • Detect and alert on anomalous IP traffic
    • Block anomalous IP traffic
  1. Leverage Vulnerability Scanners to identify systems vulnerable to critical CVEs

Dasher’s clients can run vulnerability scans using vulnerability management systems from companies like Tenable against these CVE. At the minimum clients can run the vulnerability assessment scan to identify network devices against the top 4 critical vulnerabilities. And if identified, administrators should ensure those resources do not have direct internet access from outside their network.

  1. Implement Network Segmentation

One suggestion is to have the vulnerable resources segmented out on a case by case basis until the vendor patch is available to secure against these vulnerabilities. IT administrators should place control system networks and remote devices behind firewalls – isolating them from the enterprise network. If remote access is required, secure methods should be leveraged for access, such as the use of an SSL Virtual Private Network (VPN).

 

References

https://www.jsof-tech.com/ripple20/

https://treck.com/vulnerability-response-information/

https://www.us-cert.gov/ics/advisories/icsa-20-168-01

https://kb.cert.org/vuls/id/257161

 

 

This post is powered by Mix Digital Marketing