Security researchers revealed 19 vulnerabilities, dubbed Ripple20, in a widely used TCP/IP software library developed by Treck, Inc. that could put hundreds of millions of connected devices at risk.
JSOF, a cyber consultancy and project firm located in Israel, disclosed the vulnerabilities on June 16, which include multiple remote code execution flaws. The widespread use of the software library by vendors throughout supply chains compounds the number of affected organizations, creating the ripple effect that prompted the vulnerabilities' name. Devices across industry verticals with many different applications are at risk, including those from well-known vendors such as HP, Intel, Baxter and Rockwell Automation, according to JSOF.
For organizations that rely heavily on IoT or embedded devices for operational or production networks like power grids, the effects are much more meaningful, said JSOF CEO Shlomi Oberman in an email to IoT Agenda. An exploit on a vulnerable device in a power grid or an oil facility could cause physical damage, so IT pros should make security a priority in industrial control systems. Security researchers are still working on identifying the affected devices.
"Fortunately, no one has detected exploitation of Ripple20. But since these vulnerabilities will be present for a very long time, we want to take measures to prevent another Mirai botnet type of scenario," said Forrester senior analyst Brian Kime. "The challenge is: How do I identify if I have these vulnerabilities in my environment? Traditional network vulnerability scanners are unlikely to detect these vulnerabilities because this TCP/IP stack is embedded in the product."
Daniel dos Santos, a research manager at Forescout Research Labs, coordinated research with JSOF to help identify affected devices. JSOF named HP printers as affected at the beginning of its research, and Forescout detected vulnerabilities in Baxter infusion pumps. Researchers also identified vulnerabilities in uninterruptible power supplies (UPSes) used in data centers to manage power and prevent blackouts.
"It's a wide array of devices. It goes from things that you would find in a normal enterprise corporation, like printers, to very specific things that you would find in a hospital or data center," dos Santos said.
How the vulnerabilities work
All Ripple20 vulnerabilities exist in different TCP/IP stack components. Some vulnerabilities are at the basic IP level, some are in the TCP and others are higher in the stack in the DNS component, dos Santos said. An attacker can bypass firewalls and take control of devices without any user interaction. Many of the packets that take advantage of the vulnerabilities register as valid packets and pass as legitimate traffic. Attackers can also hide code within the devices and wait for years to use it.
"The most dangerous [vulnerabilities] are at the bottom of this stack. It's easier to exploit because it's more basic communication. You don't need a specific application or any sort of access to the device," dos Santos said. "The potential impact of the vulnerability ranges from information leak -- which means that you can read some information from the device but not necessarily alter the state or do anything against the device -- to what we call remote code execution."
The vulnerabilities that allow remote code execution exploits mean hackers can take over and run any command on a targeted device. JSOF researchers were able to execute a proof-of-concept exploit on one of the UPSes and switch off the device using a remote code execution flaw without knowing the password or privileged information.
Identifying and patching the vulnerabilities
Once JSOF realized the potential extent of the vulnerabilities, the team coordinated with external cybersecurity groups. Security researchers, such as those from Forescout Research Labs and agencies, such as the Department of Homeland Security and multiple national computer emergency response teams, assisted in identifying compromised devices. The Forescout team used its data in the device cloud and traffic signatures specific to the affected software library to identify potentially compromised devices.
Daniel dos SantosResearch manager, Forescout Research Labs
In some cases, identifying and patching the Ripple20 vulnerabilities might be difficult. Organizations may use unsupported devices or equipment from defunct vendors. The initial version of the Treck TCP/IP stack was published in the '90s and may have been used in legacy devices. Even if a vendor issues a patch, organizations might not be able to apply it because they cannot take the device offline or the device might only run certain applications that are not compatible with the patch.
"[Patching is] a nuanced process," dos Santos said. "It might happen that some devices will never be patched at any point."
Ripple20 is not the first set of vulnerabilities to present this dilemma. In July 2019, researchers found a similar set of vulnerabilities in the IP stack called Urgent/11. Researchers are still identifying devices that are at risk from earlier vulnerabilities, dos Santos said.
What to do if Ripple20 can't be patched
The best mitigation for IoT device suppliers is to identify which devices are affected and to patch the vulnerabilities, according to Oberman. If organizations cannot patch their devices, there are a few steps they can take to protect them from potential Ripple20 exploits. One option is taking the device offline to eliminate any risk, but these devices are usually essential for business purposes, dos Santos said. Organizations should build protection around the device in the form of network segmentation, firewalls and ensuring they can only communicate with approved devices. IT administrators should continuously monitor the network for potential exploitation and apply corrective action at the time of attack, such as taking the device offline.
"Patching is usually the way to go. But if you cannot do that -- and even when you can do that -- to prevent issues, you should be able to isolate devices as much as you can," dos Santos said. "Nowadays, it's basically the top recommendation, being sure that you can isolate those devices as much as possible, and that you can limit the potential impact."
Further steps that organizations can take include using a sanitizing recursive DNS server, especially for large organizations where the attackers could be more sophisticated and use a zero-trust security model.
"We create microperimeters around our devices, knowing that there's a lot of these components that go into IoT devices and different operating systems that may not be well-developed and may have lots of unknown vulnerabilities," Forrester's Kime said. "Ripple20 is an example of why we need a zero-trust strategy that hypersegments user identities, devices that have analytics and automation orchestration around all the components of a zero-trust framework."
Ripple20 reiterates security best practices for all involved
Developers and manufacturers usually build protection into their software through secure coding practices. The Ripple20 vulnerabilities stem from the way developers wrote the software. The language used is inherently unsafe and it's difficult to prevent the vulnerabilities in the first place, dos Santos said. Since the Treck TCP/IP software library was written, the industry has developed secure development lifecycles with greater awareness of vulnerabilities.
"Older software, or even software that is written nowadays but doesn't follow a strict development rights cycle, will contain vulnerabilities," dos Santos said.
The key to preventing vulnerabilities like Ripple20 is to follow strict, secure coding practices, and everyone needs to work together -- vendors, software developers, network operators -- to reduce the risk to our interconnected world, Kime said.
"All security and risk professionals should be continually having conversations with their vendors about doing better, doing more and staying on top of the latest trends," Kime said. "The vendors need to do better with securing their products before they go to market. They need to build products that when a vulnerability is discovered can be mitigated."
Organizations can also protect their devices through exploit mitigations, but the ability to do so depends on the device. They should ensure that software components or third-party software they use follow the secure development lifecycle. The Ripple20 vulnerabilities also serve as a reminder to implement IoT security best practices and perform penetration testing.
"The issue is that vulnerabilities will probably always be there," dos Santos said. "What we can do is try to reduce the number at the beginning and, even when they appear, try to make it more difficult for the attackers to exploit them. Everybody is involved in making sure that that networks are secure."