John Pescatore - SANS Director of Emerging Security Trends
This week’s Drilldown focuses on just one item (included below) from NewsBites Issue 49. While this item focuses on yet another example of serious vulnerabilities in “nontraditional” IT, it points out how this same vulnerability can be found embedded in a wide array of products in use at many businesses, including those from “traditional” IT suppliers.
Researchers at JSOF, a boutique Israeli product security consulting firm, discovered 19 vulnerabilities in the library modules of software vendor Treck’s products for TCP/IPv4/v6 and associated protocols. At discovery time, patches existed for only 4 of the vulnerabilities, 15 of which were zero day vulnerabilities, with no patch available. The flaws found were mostly well-known bad programming techniques that allow attackers to remotely execute code or bypass security controls.
Treck’s software is used in hundreds of products. JSOF listed these vendors in its advisory: Intel, HP, Schneider Electric, Caterpillar, B. Braun, Green Hills, Rockwell Automation, Cisco, Teradici, Baxter and Carestream. That list alone spans IT network, medical, control and automation equipment. The name “Ripple20” was given to the group of flaws.
The full list of products using the vulnerable library modules is really only known by Treck, and the advice on its website is not tremendously illuminating or helpful:
Treck is committed to delivering secure, high performing products. For more than 20 years we have been consistently working to maintain the quality and integrity of our products. Our latest version of Treck’s TCP/IPv4/v6 and associated protocols has been updated to include fixes for a group of vulnerabilities (VU#257161 and ICS-VU-035787) that were reported by Moshe Kol and Shlomi Oberman of the independent security research group, JSOF. Treck is also providing patches for each issue that was reported. Some of the issues are of high severity. The exposure to these high severity issues greatly depends on the Treck products being used. To determine the level of exposure Treck customers should review the list of CVE’s below and contact email@example.com. [emphasis added]
The supply chain aspect of the Ripple20 flaws is similar to the impact of the Heartbleed vulnerabilities found in 2014 the OpenSSL stack--the flawed software can be anywhere.
The mitigation steps are similar, too:
- Discover where the vulnerable software is in use at your enterprise and by your suppliers. Many security vendors are releasing scripts or signatures to help find the use of the Treck stack. NAC vendor ForeScout Technologies worked with JSOF and was early with a fingerprinting capability, described here.
- Determine business critical usage to prioritized remediation.
- Segment and shield what can’t be patched.
- Learn. How well did your discovery, prioritization, patching and segment/shield processes extend to the types of products that include the vulnerable Treck modules?
- Educate upward. CXOs and boards are hearing a lot about supply chain security, but mostly from an “Are we at risk using products from China?” perspective.
This insidious problem of multiple levels of supply chain baking in vulnerabilities that almost anyone can exploit remotely has a higher risk of damaging impact to most companies than a nation-state attack does. Management support is needed for changing procurement practices and audits to focus on vulnerability risk across the supply chain and for changing operations to support “quarantining” of devices where safety or danger can not be fully evaluated.
Ripple20 Vulnerabilities Affect Millions of IoT Devices
(June 16, 2020)
Researchers from JSOF, an Israeli security company, have discovered a group of vulnerabilities that affect millions of Internet of Things (IoT) devices. Ripple20 is “a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc.” At least four of the flaws have CVSS base scores over 9.0. In March, Treck issued an updated version of its library to address the flaws. However, tracking down all vulnerable devices is difficult at best, and there are likely situations in which devices cannot be patched.
[Ullrich] This flaw will keep us busy for the foreseeable future. The Treck IP Stack is used in millions of devices made by an unknown number of manufacturers. As an end user, you likely have no idea that your equipment uses this IP stack. Identifying these devices and patching them will take years.
[Pescatore] Cisco, Intel and HP/Samsung have issued alerts around their products that are or may be at risk. This isn’t just an obscure IoT device risk issue, though it is a huge issue there. There are 19 CVEs--in order to mitigate or patch, discovery of vulnerable devices with the Treck stack is key. Some discovery and NAC vendors have released scripts and signatures to detect use of the vulnerable stack. Treck recommends that you review those CVEs and, if you have questions about a device, that you contact them via email at firstname.lastname@example.org.
Read more in:
JSOF: Ripple20 | 19 Zero-Day Vulnerabilities Amplified by the Supply Chain
Wired: A Legion of Bugs Puts Hundreds of Millions of IoT Devices at Risk
ZDNet: Ripple20 vulnerabilities will haunt the IoT landscape for years to come
Dark Reading: “Ripple20” Bugs Plague Enterprise, Industrial & Medical IoT Devices
Bleeping Computer: Ripple20 vulnerabilities affect IoT devices across all industries