Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
7/22/2020
03:00 PM
Tanner Johnson
Tanner Johnson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Ripple20's Effects Will Impact IoT Cybersecurity for Years to Come

A series of newly discovered TCP/IP software vulnerabilities pose a threat to millions of IoT devices. Undiscovered since the early 1990s, they highlight the need to improve security in an increasingly precarious IoT supply chain.

While the modern-day Internet supports considerable security controls such as encryption, identification, and authentication, this was not always the case. Concerns regarding cybersecurity were largely absent during the initial development and deployment of the early Internet. As a result, many of today's commonly used security solutions have been designed and applied piecemeal. So it's no surprise that several newly discovered flaws in the underlying network stack infrastructure, unknown and unpatched since the late 1990s, have recently been discovered. The implications of such vulnerabilities can prove catastrophic for the perpetually growing IoT landscape.

An Israel cybersecurity company named JSOF has managed to uncover a series of zero-day vulnerabilities in an old TCP/IP software library. Vulnerabilities that exist, but are unknown to the affected product vendor, are commonly referred to as zero-day vulnerabilities. The nature of these flaws mean they are exploitable until the vulnerable systems are patched by the vendor. However, even if a patch is released, many updates (especially on older components) cannot be automatically executed, and require human interaction to install. As a result, zero-day vulnerabilities simultaneously pose the greatest threats to information security, while being viewed as the most sought-after prize for cybercriminals to attain and share.

In total, JSOF discovered 19 of these vulnerabilities, but named the batch of flaws Ripple20 to illustrate the "ripple effect" these security defects will have on connected devices for years to come. The specific flaws themselves were determined to have spawned from a Cincinnati-based organization named Treck Inc. Treck was responsible for developing a high-performance TCP/IP protocol suite for use in embedded systems by connected device manufacturers.

As a result of the suite’s popularity, the vulnerabilities were able to infiltrate the global markets unnoticed through the supply chain itself. For instance, JSOF determined that a joint collaboration between Treck and a firm named Elmic Systems, allowed the vulnerabilities to also propagate into the Japanese market more than 20 years ago.

When it comes to understanding the software flaws themselves, knowledge of two primary components of the vulnerability ecosystem are essential. These include the Common Weakness Enumeration (CWE) values, and the Common Vulnerability Scoring System (CVSS) values. While there many independent variables that dictate the overall classification of these values for each vulnerability in question, the CWE serves as a common language for describing the nature of the vulnerabilities themselves, while the CVSS scores provide a universal yardstick for measuring their overall severity.

With regard to the Ripple20 vulnerabilities, three of the most common CWE values are CWE-20, CWE-125, and CWE-200. CWE-20 impacts the ability of the system to effectively validate user input, potentially allowing an adversary to execute malicious code. A CWE-125 flaw could grant an adversary the ability to read memory outside the intended buffer. Lastly, a CWE-200 vulnerability could result in the potential exposure of sensitive information. Additionally, CVSS scores reflect not only the criticality of the flaw, but also the degree of knowledge required to exploit the flaw. Unfortunately, four of the Ripple20 flaws have a CVSS score of 9/10 or higher, meaning they can be weaponized for devastating impact without requiring considerable expertise from the attacker.

While JSOF has provided recommendations to help mitigate the risks of Ripple20, the overall reach and scope of the flaws have significant market implications. Adding greater complexity to this specific challenge is the age of the vulnerable infrastructure itself, as these zero-day vulnerabilities have managed to permeate into millions of products from over 100 vendors. Components utilizing the vulnerable network stack library have been discovered in industrial environments, healthcare, consumer, retail, utilities, aviation, enterprise, transportation, and even national security sectors.

The resulting impact of a successfully exploited Ripple20 vulnerability can take many forms. If the flaws were exploited properly, an attacker could gain total control over an internal network device, from outside the network perimeter through the internet facing gateway. If multiple vulnerable devices were discovered, an adversary could potentially broaden their attack to target all unpatched components simultaneously. Lastly, a vulnerable device could allow an attacker to exploit a vulnerable component for years, without ever being noticed. Depending on the type of device, the consequences of these attacks can range from annoying to potentially life threatening.

It should be noted that while Treck was quick to update its TCP/IP stack to a version that addresses these vulnerabilities, that was the easier part of the security fix. Unfortunately, even after being notified that their products are affected, installing the patch has proven difficult for many vendors. Furthermore, this remediation effort can prove impossible for vulnerable components still in use, but whose vendors are no longer in business after 20 years.

The effort of tracking down all vulnerable components and systems, through a supply chain spanning two decades, will remain a considerable forensic challenge in the coming years. And this represents just one series of flaws. When combined with similar vulnerabilities that have already been discovered, and those that have yet to be uncovered, the fragile state of the IoT supply chain becomes clear. Without a more concerted effort to improve IoT and network device security, throughout the entire lifecycle from development to deployment and through to retirement, the IoT landscape will remain nearly impossible to secure.

Related Content:

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Tanner Johnson is a cybersecurity analyst focused on IoT and transformative technologies at Omdia. His coverage is focused on examining the various threats that occupy the IoT technology domain, as well as opportunities and strategies that are emerging as data connectivity ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.