While the modern-day Internet supports considerable security controls such as encryption, identification, and authentication, this was not always the case. Concerns regarding cybersecurity were largely absent during the initial development and deployment of the early Internet. As a result, many of today's commonly used security solutions have been designed and applied piecemeal. So it's no surprise that several newly discovered flaws in the underlying network stack infrastructure, unknown and unpatched since the late 1990s, have recently been discovered. The implications of such vulnerabilities can prove catastrophic for the perpetually growing IoT landscape.
An Israel cybersecurity company named JSOF has managed to uncover a series of zero-day vulnerabilities in an old TCP/IP software library. Vulnerabilities that exist, but are unknown to the affected product vendor, are commonly referred to as zero-day vulnerabilities. The nature of these flaws mean they are exploitable until the vulnerable systems are patched by the vendor. However, even if a patch is released, many updates (especially on older components) cannot be automatically executed, and require human interaction to install. As a result, zero-day vulnerabilities simultaneously pose the greatest threats to information security, while being viewed as the most sought-after prize for cybercriminals to attain and share.
In total, JSOF discovered 19 of these vulnerabilities, but named the batch of flaws Ripple20 to illustrate the "ripple effect" these security defects will have on connected devices for years to come. The specific flaws themselves were determined to have spawned from a Cincinnati-based organization named Treck Inc. Treck was responsible for developing a high-performance TCP/IP protocol suite for use in embedded systems by connected device manufacturers.
As a result of the suite’s popularity, the vulnerabilities were able to infiltrate the global markets unnoticed through the supply chain itself. For instance, JSOF determined that a joint collaboration between Treck and a firm named Elmic Systems, allowed the vulnerabilities to also propagate into the Japanese market more than 20 years ago.
When it comes to understanding the software flaws themselves, knowledge of two primary components of the vulnerability ecosystem are essential. These include the Common Weakness Enumeration (CWE) values, and the Common Vulnerability Scoring System (CVSS) values. While there many independent variables that dictate the overall classification of these values for each vulnerability in question, the CWE serves as a common language for describing the nature of the vulnerabilities themselves, while the CVSS scores provide a universal yardstick for measuring their overall severity.
With regard to the Ripple20 vulnerabilities, three of the most common CWE values are CWE-20, CWE-125, and CWE-200. CWE-20 impacts the ability of the system to effectively validate user input, potentially allowing an adversary to execute malicious code. A CWE-125 flaw could grant an adversary the ability to read memory outside the intended buffer. Lastly, a CWE-200 vulnerability could result in the potential exposure of sensitive information. Additionally, CVSS scores reflect not only the criticality of the flaw, but also the degree of knowledge required to exploit the flaw. Unfortunately, four of the Ripple20 flaws have a CVSS score of 9/10 or higher, meaning they can be weaponized for devastating impact without requiring considerable expertise from the attacker.
While JSOF has provided recommendations to help mitigate the risks of Ripple20, the overall reach and scope of the flaws have significant market implications. Adding greater complexity to this specific challenge is the age of the vulnerable infrastructure itself, as these zero-day vulnerabilities have managed to permeate into millions of products from over 100 vendors. Components utilizing the vulnerable network stack library have been discovered in industrial environments, healthcare, consumer, retail, utilities, aviation, enterprise, transportation, and even national security sectors.
The resulting impact of a successfully exploited Ripple20 vulnerability can take many forms. If the flaws were exploited properly, an attacker could gain total control over an internal network device, from outside the network perimeter through the internet facing gateway. If multiple vulnerable devices were discovered, an adversary could potentially broaden their attack to target all unpatched components simultaneously. Lastly, a vulnerable device could allow an attacker to exploit a vulnerable component for years, without ever being noticed. Depending on the type of device, the consequences of these attacks can range from annoying to potentially life threatening.
It should be noted that while Treck was quick to update its TCP/IP stack to a version that addresses these vulnerabilities, that was the easier part of the security fix. Unfortunately, even after being notified that their products are affected, installing the patch has proven difficult for many vendors. Furthermore, this remediation effort can prove impossible for vulnerable components still in use, but whose vendors are no longer in business after 20 years.
The effort of tracking down all vulnerable components and systems, through a supply chain spanning two decades, will remain a considerable forensic challenge in the coming years. And this represents just one series of flaws. When combined with similar vulnerabilities that have already been discovered, and those that have yet to be uncovered, the fragile state of the IoT supply chain becomes clear. Without a more concerted effort to improve IoT and network device security, throughout the entire lifecycle from development to deployment and through to retirement, the IoT landscape will remain nearly impossible to secure.
- Ripple20 Threatens Increasingly Connected Medical Devices
- What Organizations Need to Know About IoT Supply Chain Risk
- How to Assess More Sophisticated IoT Threats
- IoT Security Trends and Challenges in the Wake of COVID-19
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.