Ripple20 is causing shock waves right now across our industry. And for legitimate reasons. Ripple20 consists of 19 vulnerabilities that have the potential to impact hundreds of millions of end devices, including smart-home devices, industrial control systems, medical and healthcare systems, and even devices used in key parts of infrastructure such as energy, transportation, communication, and the government and national security sectors
If you haven’t been keeping up with all the industry buzz on this topic, here is a brief synopsis from the independent security research company who uncovered the vulnerabilities, JSOF.
To understand the severity of the vulnerabilities, JSOF has assigned scores using the Common Vulnerabilities Scoring System (CVSS) 3.0 – which is a free and open industry standard for assessing vulnerabilities. The CVSSv3.0 scale ranges from 1 to 10 with 10 being the most severe.
Of the 19 vulnerabilities:
The real danger is that, through these vulnerabilities, an attacker can gain complete control over the targeted IoT device remotely, without user interaction required. This would enable them to render it useless or force it to run any malicious code they choose, such as ransomware.
Furthermore, for many of these vulnerabilities, the packets sent are very similar to valid packets, or, in some cases are completely valid packets. This enables the attack to pass as legitimate traffic and go undetected by firewalls and threat detection systems.
To illustrate these dangers, JSOF researchers will be releasing another two white papers following BlackHat USA this year showing how they managed to exploit some of the bugs to switch off a Schneider Electric UPS.
The silver lining to this rather dark cloud is that, according to the US Cybersecurity and Infrastructure Security Agency, there are no known public exploits of these vulnerabilities to date, and it is anticipated that it would take a high skill level for a malicious actor to be able to exploit them.
Regardless, due to the potentially catastrophic impact of a malicious actor gaining control of critical infrastructure or a medical device being used for patient care, it is best to be vigilant and mitigate the risk of these vulnerabilities as quickly as possible.
The best way to mitigate the risk is, of course, to upgrade or patch any device that is believed to be impacted by these vulnerabilities. Treck, the developer of the TCP/IP stack, has already fixed all issues that were reported and made them available to their customers either through their newest code release (18.104.22.168 or later), or patches. Note that Trek has a vulnerability response website located here.
But patching and upgrading is easier said than done since as mentioned above, even identifying which devices are potentially impacted is complex. Then it is the sheer number of devices, many of them providing business-critical functions – that would need to be patched or upgraded – going back twenty years in time.
The CERT Coordination Center from the Software Engineering Institute at Carnegie Mellon University provides a list of vendors who are known to be impacted by these vulnerabilities. It ranges from printer suppliers, such as Xerox, to suppliers of heavy industrial equipment, such as Caterpillar. As the impact to many suppliers is still unknown, it is best to bookmark this website and refer to it often.
For a variety of reasons, upgrading and patching end devices may not be feasible. In this case, the US Cybersecurity and Infrastructure Security Agency recommend that companies take the following actions:
In addition, the CERT CC offers some valuable network mitigations to help protect suspected devices from the risk of attack. These include blocking IP fragmented traffic, and where possible, blocking IP source routing and more.
For companies that need to act quickly to protect high-value assets, Extreme’s Defender for IoT solution helps to protect, isolate, and monitor endpoints such as medical devices and even Industrial Control Systems. It is designed to run over any network infrastructure, to quickly and easily enable the secure connectivity of IoT, without requiring any network upgrades or complicated security appliances. It is a fast and easy way to reduce the potential attack surface of any mission-critical devices that are suspected to contain this or other vulnerabilities.
Defender for IoT offers the following critical functionality:
Isolates groups of IoT devices in their own IPsec encrypted segment (or Fabric Connect hyper-segment) that extends from the device to the Data Center to limit the visibility of vulnerable devices. These segments can be overlaid over any IP network (Extreme or third party), regardless of its age and its functionality.
Applies whitelist profiles to lock down communication to only authorized hosts, using only authorized protocols or applications.
A few longer-term strategies companies can take related to the deployment of infrastructure to enhance IoT security include:
Important industry resources:
As there is still much to learn about the impacts of these vulnerabilities, here are some valuable websites that you can refer to, to make sure that you are accessing the latest information:
For more information:
Register and download our Top 10 Network Security Best Practices eBook