Israeli cybersecurity firm JSOF has released information on a group of vulnerabilities dubbed Ripple20. These vulnerabilities have the potential to critically impact millions of internet of things (IoT) devices across many different industries — crucial machines in the medical, oil and gas, transportation, power, and manufacturing industries can be affected by these bugs. A list of specific vendors with vulnerable devices can be seen in this technical report from JSOF.
The vulnerabilities are rooted in software developed by American company Treck Inc., which was released in the late nineties. This software implements a lightweight TCP/IP stack and allows companies to connect their devices or software to the internet via TCP/IP connections.
Given that this software has been available and in use for many years, and enterprises of all sizes have been bringing more and more devices online, it is no surprise that the impact of Ripple20 is widespread. As noted by JSOF in their report, “Ripple20 reached critical IoT devices from a wide range of fields, involving a diverse group of vendors. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations.”
IoT and industrial internet of things (IIoT) devices need lightweight network components to save their computing power; but problems with third-party network communication software have been plaguing the landscape for years. In 2018, 13 bugs in the FreeRTOS TCP/IP stack put IoT devices in homes and in critical infrastructure at risk. And in 2019, medical devices and hospital networks were compromised by a group of eleven vulnerabilities named Urgent/11. The vulnerabilities were in IPnet, a third-party software component supporting network communications; an attacker could potentially use these vulnerabilities to remotely take control of medical devices or prevent them from functioning.
The vulnerabilities found in Treck Inc. software are particularly notable because of the breadth of their impact — the software has spread around the world, and has been used directly and indirectly by many different manufacturers. In statements to the press, Shlomi Oberman, CEO of JSOF, has noted that "Not that many people have heard of this company, but they are a leading provider of TCP-IP stacks, so they're at the beginning of a really complex supply chain.”
Specifically, Ripple20 is a group of 19 hackable bugs that, if successfully exploited, could allow an attacker to run code arbitrarily on vulnerable devices they can connect to. Hackers can access vulnerable devices through local networks or over the internet and fully take control of them — a critical issue when vulnerable devices include those in power grids, manufacturing plants, and hospitals. One of these bugs is a DNS protocol vulnerability, which can be used by a sophisticated hacker to attack devices that are not connected to the internet. JSOF has outlined other possible attacks, including: using vulnerable devices to target other devices in a network, utilizing vulnerable device to stay hidden in network, and broadcasting an attack to take control of all impacted devices in the network simultaneously. Treck has released a security update addressing these vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA) rated five of these vulnerabilities above an eight, with two of them scoring a 10 (the highest possible rating). They also encourage users take “defensive measures” against these vulnerabilities – installing updates from Treck, minimizing network exposure, implementing firewalls, using virtual private networks and using internal DNS servers.
Mitigation and Solutions
Detection is the first step to avoiding attacks that abuse these vulnerabilities. In some cases, asset owners may not be aware that these vulnerabilities exist in their environment. Products like EdgeIPSTM and EdgeFireTM can help owners detect Ripple 20 vulnerabilities through network traffic scanning. Upon detection of vulnerabilities, if any, users should immediately apply the security updates supplied by the manufacturer.
Here are other mitigation tactics to help users manage Ripple20:
Network segmentation: Appropriate internal segmentation and micro-segmentation should be performed in the OT network environment. Asset owners can use EdgeFireTM for internal segmentation through communication-controlled NAT and ICS protocols. EdgeIPSTM can perform in-depth micro-segmentation.
Network policy control: Without proper solutions, the principle of zero trust cannot be achieved. EdgeFireTM and EdgeIPSTM provide network access whitelists for M2M communication through IP addresses, ICS protocols and commands.
Prevention: For high-potential hazards, EdgeIPSTM and EdgeFireTM will update the rule set to prevent vulnerabilities.