As if dealing with the repercussions of COVID-19 was not already enough, researchers recently discovered Ripple20, a set of 19 vulnerabilities found on the Treck TCP/IP stack. Not all of these vulnerabilities will cause damage. However, four are rated critical with the power to negatively impact industrial devices, power grids, home devices, retail devices, transportation, networking devices, enterprise devices and medical devices for years to come.
According to a recent Cisco blog by Fabien Maisl, “the vulnerabilities are similar to the Urgent/11 vulnerabilities published in 2019 and impacting the TCP/IP stack developed by Interpeak. Like Urgent/11, the Ripple20 vulnerabilities allow attackers to trigger remote code execution and denial of service (DoS). Many vendors such as HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter and others have already confirmed being impacted by Ripple20.”
Cisco points to CVE-2020-11901 as the most severe vulnerability. “It can be triggered by answering a DNS request from the device and may result in remote code execution,” writes Maisl. “Because DNS requests generally leave the network, they can be easily intercepted to give an attacker a way in. Furthermore, the packet sent to exploit this vulnerability will be compliant with various RFCs, making it difficult for a firewall to detect the attack.”
While the lack of public-facing IoT devices may provide manufacturers with a sense of security, SecureLink CISO Tony Howlett suggests that most organizations are still at risk. “Ripple20 is especially dangerous because it affects millions of devices based in the Treck IP stack — including devices from Cisco, Intel, and Samsung. It is made up of 19 individual vulnerabilities and is rated 9.0 on the 10.0 CVSS scale — this alone should spark a cursory review,” he says. “Remote considerations and having to manage and protect against employee’s at home IoT devices as well as the inability to patch IoT devices across large, multi-location enterprises asre also key concerns.”
Howlett tells IndustryWeek, manufacturers need to perform a risk analysis on “infrastructure against the affected companies and devices. The list isn’t complete and continues to expand almost daily. Use vulnerability scanners with released signature plug-ins (such as Qualys and Tenable to scan your network for affected devices,” he says.
Network segmentation, firewalls, router ACLs to protect affected devices can also play pivotal roles. “You should be doing this anyway for IoT networks that don't need internet access. Also, make sure none of your IPs are visible on OSTint databases like Shodan. This open source site/tool shows exposed IoT devices all over the internet. It will be a piece of cake and has probably already been done to scan this database for affected devices/signatures.”
Not practicing good supply chain security and management, especially when it comes to software components, could be a costly mistake, explains Howlett. “There are some code management tools that will help in this,” he says. “The software industry is going to have to start treating their supply chain the same way regulated industries do, where they can track every bolt and screw to who made it and in what batch.”