Numerous times in July, SpearTip has come across the existence of a relatively new, zero-day vulnerability known as Ripple20 living in enterprise networks on a variety of network connected devices.

This past June, an Israeli team of security researchers uncovered 19 vulnerabilities (collectively known as Ripple20) in an old TCP/IP stack software library from Treak. It is utilized in a variety of embedded network connected devices.  Their findings are significant and reveal a problem that has the potential to plague networks and the internet for years to come.

Potentially impacting hundreds of millions devices and affecting a wide range of industries, Ripple20 exists in devices such as networking devices, printers, industrial control devices, medical devices, smart home devices, and a litany of other IoT devices from major, well known vendors.  The vendors, too many to name, include giants such as Intel, Cisco, HP, Dell, Caterpillar, Rockwell Automation, Schneider Electric, and Eaton.

Four of the discovered vulnerabilities have a critical severity rating with a CVSS score of more than 9.0.  These include:

  • CVE-2020-11896
  • CVE-2020-11897
  • CVE-2020-11898
  • CVE-2020-11899

The most serious of the findings include an unauthenticated remote code execution vulnerability that could allow a Threat Actor the ability to execute arbitrary code on a system without authenticating, thus taking over control of the device. Depending on the type of device affected, the outcomes could be dire; particularly for industrial control and medical devices.

Remote code execution in vulnerabilities in IoT devices makes Ripple20 the perfect target for Botnet operators. Given the potentially hundreds of millions of devices affected, a distributed denial of service attack that Threat Actors could wield like a sword and take down networks and large portions of the internet that potential brings back memories to the 2016 Dyn cyberattack that caused major service outages across North America and Europe when DNS provider Dyn was hit with a massive DDoS attack by the Mirai botnet.  A botnet leveraging Ripple20 is a national security threat and could be a target for U.S. political and economic adversaries.

Ripple20 magnifies the effect of supply-chain based vulnerabilities given the nature of how they reverberate throughout the market and also highlights the need for increased security testing within the software development lifecycle.

As far as a solution, update affected devices, if you can, and consider replacing when you can’t.  If neither can be done quickly, focus on your external facing devices first and put them behind a firewall with a strict access control list. For internally affected devices, be sure to properly segment them off from the business network. Leverage an IDS and firewall to spot suspicious traffic and be quick to react.  Also, given that exploiting the remote code execution vulnerability relies on the DNS service, utilize caching DNS servers within the enterprise, use DNS over HTTPS, and don’t allow direct DNS queries to the internet.

Sadly, many devices will remain unpatched due to lack of awareness or simply due to no available vendor provided patches. If anything, Ripple20 underscores the need for a robust vulnerability and patch management policy and the risks of IoT devices.

Our proprietary tool, ShadowSpear® and elite cybersecurity engineers work around the clock for you, and stop attacks immediately before destroying your environment. Learn more about ShadowSpear® before becoming a victim of a cyberattack.

24/7 Breach Response: 833.997.7327