Ripple20: The critical IoT vulnerability.
What is it?
Ripple20 is a set of 19 zero-day vulnerabilities, discovered by the JSOF research lab in a widely used low-level TCP/IP software library developed by Treck, Inc. These vulnerabilities include multiple remote code execution vulnerabilities and have the potential to affect hundreds of millions of devices. This has the potential to be the widest impacting vulnerability ever!
The extent of IoT (internet of things) devices can be found in a large and diverse group of vendors from boutique suppliers to well know multinationals, with names including HP, Schneider Electric, Intel, Rockwell Automation, Samsung and Caterpillar.
What this means to you is that many everyday devices, both consumer and industrial could be exploited for nefarious purposes. And with so many devices in the supply chain, this can leave companies and businesses very vulnerable and at risk.
How bad could it be?
Look at it this way, the most common types of equipment that have been identified as running the Treck code are infusion pumps, printers, UPS (uninterruptible power supply) systems, networking equipment, POS devices, IP cameras, video conferencing systems, building automation devices and ICS devices.
JSOF have listed some of the potential risks from using devices compromised by Ripple20:
- An attacker from outside the network taking control over a device within the network, if internet facing.
- An attacker who has already managed to infiltrate a network can use the library vulnerabilities to target specific devices within it.
- An attacker could broadcast an attack capable of taking over all impacted devices in the network simultaneously.
- An attacker may utilize affected devices as a way to remain hidden within the network for years
- A sophisticated attacker can potentially perform an attack on a device within the network, from outside the network boundaries, thus bypassing NAT configurations. This can be done by performing a MITM attack or a DNS cache poisoning.
- In some scenarios, an attacker may be able to perform attacks from outside the network by replying to packets that leave network boundaries, bypassing NAT.
The worst part? In all these scenarios, an attacker can gain completed control over the targeted device from a remote location, with absolutely no user interaction required.
What should I do?
Right now, Treck has begun notifying customers and started issuing patches for the Ripple20 vulnerabilities, however this doesn’t mean all devices will be patched, and given how widespread the use of the code stack, the full impact of the vulnerability remains unclear.
It is highly recommended to take the appropriate measures to minimise the risk of device exploitation. This means reviewing the affected suppliers and determining if any devices and hardware are currently being used within your business, or at any stage of your business’ supply chain, and from this rectifying the issue.
Macquarie Government has completed a full audit and scan of our hard hardware across the board and any instances of the TCP/IP stack have now been updated and patched to eliminate the vulnerability. In addition to this, as our data centres are not connected to the wider internet, customers have further reassurance that this vulnerability could not be exploited.
Where can I find out more?
Further reading can be found on the JSOF website in the form of a comprehensive and technical overview of Ripple20.
About Macquarie Government.
Since 2008, Macquarie Government, part of the ASX-listed Macquarie Technology Group (ASX: MAQ), has been trusted by 42% of the Australian Government to provide secure, sovereign and compliant cloud, cyber security and data centre services.
Macquarie Government’s cloud, housed in our own data centres, has been certified by the Australian Signals Directorate (ASD) to handle Protected (Classified) data, and is supported by our own local 24×7 Hosting Management Centre and Security Operations Centre (SOC). With over 120 government-cleared engineering specialists, we are always here to help.