Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:00 PM
Tanner Johnson
Tanner Johnson
Connect Directly
E-Mail vvv

Ripple20's Effects Will Impact IoT Cybersecurity for Years to Come

A series of newly discovered TCP/IP software vulnerabilities pose a threat to millions of IoT devices. Undiscovered since the early 1990s, they highlight the need to improve security in an increasingly precarious IoT supply chain.

While the modern-day Internet supports considerable security controls such as encryption, identification, and authentication, this was not always the case. Concerns regarding cybersecurity were largely absent during the initial development and deployment of the early Internet. As a result, many of today's commonly used security solutions have been designed and applied piecemeal. So it's no surprise that several newly discovered flaws in the underlying network stack infrastructure, unknown and unpatched since the late 1990s, have recently been discovered. The implications of such vulnerabilities can prove catastrophic for the perpetually growing IoT landscape.

An Israel cybersecurity company named JSOF has managed to uncover a series of zero-day vulnerabilities in an old TCP/IP software library. Vulnerabilities that exist, but are unknown to the affected product vendor, are commonly referred to as zero-day vulnerabilities. The nature of these flaws mean they are exploitable until the vulnerable systems are patched by the vendor. However, even if a patch is released, many updates (especially on older components) cannot be automatically executed, and require human interaction to install. As a result, zero-day vulnerabilities simultaneously pose the greatest threats to information security, while being viewed as the most sought-after prize for cybercriminals to attain and share.

In total, JSOF discovered 19 of these vulnerabilities, but named the batch of flaws Ripple20 to illustrate the "ripple effect" these security defects will have on connected devices for years to come. The specific flaws themselves were determined to have spawned from a Cincinnati-based organization named Treck Inc. Treck was responsible for developing a high-performance TCP/IP protocol suite for use in embedded systems by connected device manufacturers.

As a result of the suite’s popularity, the vulnerabilities were able to infiltrate the global markets unnoticed through the supply chain itself. For instance, JSOF determined that a joint collaboration between Treck and a firm named Elmic Systems, allowed the vulnerabilities to also propagate into the Japanese market more than 20 years ago.

When it comes to understanding the software flaws themselves, knowledge of two primary components of the vulnerability ecosystem are essential. These include the Common Weakness Enumeration (CWE) values, and the Common Vulnerability Scoring System (CVSS) values. While there many independent variables that dictate the overall classification of these values for each vulnerability in question, the CWE serves as a common language for describing the nature of the vulnerabilities themselves, while the CVSS scores provide a universal yardstick for measuring their overall severity.

With regard to the Ripple20 vulnerabilities, three of the most common CWE values are CWE-20, CWE-125, and CWE-200. CWE-20 impacts the ability of the system to effectively validate user input, potentially allowing an adversary to execute malicious code. A CWE-125 flaw could grant an adversary the ability to read memory outside the intended buffer. Lastly, a CWE-200 vulnerability could result in the potential exposure of sensitive information. Additionally, CVSS scores reflect not only the criticality of the flaw, but also the degree of knowledge required to exploit the flaw. Unfortunately, four of the Ripple20 flaws have a CVSS score of 9/10 or higher, meaning they can be weaponized for devastating impact without requiring considerable expertise from the attacker.

While JSOF has provided recommendations to help mitigate the risks of Ripple20, the overall reach and scope of the flaws have significant market implications. Adding greater complexity to this specific challenge is the age of the vulnerable infrastructure itself, as these zero-day vulnerabilities have managed to permeate into millions of products from over 100 vendors. Components utilizing the vulnerable network stack library have been discovered in industrial environments, healthcare, consumer, retail, utilities, aviation, enterprise, transportation, and even national security sectors.

The resulting impact of a successfully exploited Ripple20 vulnerability can take many forms. If the flaws were exploited properly, an attacker could gain total control over an internal network device, from outside the network perimeter through the internet facing gateway. If multiple vulnerable devices were discovered, an adversary could potentially broaden their attack to target all unpatched components simultaneously. Lastly, a vulnerable device could allow an attacker to exploit a vulnerable component for years, without ever being noticed. Depending on the type of device, the consequences of these attacks can range from annoying to potentially life threatening.

It should be noted that while Treck was quick to update its TCP/IP stack to a version that addresses these vulnerabilities, that was the easier part of the security fix. Unfortunately, even after being notified that their products are affected, installing the patch has proven difficult for many vendors. Furthermore, this remediation effort can prove impossible for vulnerable components still in use, but whose vendors are no longer in business after 20 years.

The effort of tracking down all vulnerable components and systems, through a supply chain spanning two decades, will remain a considerable forensic challenge in the coming years. And this represents just one series of flaws. When combined with similar vulnerabilities that have already been discovered, and those that have yet to be uncovered, the fragile state of the IoT supply chain becomes clear. Without a more concerted effort to improve IoT and network device security, throughout the entire lifecycle from development to deployment and through to retirement, the IoT landscape will remain nearly impossible to secure.

Related Content:

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Tanner Johnson is a cybersecurity analyst focused on IoT and transformative technologies at Omdia. His coverage is focused on examining the various threats that occupy the IoT technology domain, as well as opportunities and strategies that are emerging as data connectivity ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...