Alert Logic Protects Customers from Pervasive Ripple20 Vulnerabilities in IoT Devices

When you throw a pebble into a pond, ripples spread out across the water from the point of impact. A similar effect occurs when you have a vulnerability in a technology that is widely used as a foundation for entire classes of devices. Researchers from Israeli security firm JSOF found such a flaw with Ripple20—a collection of hackable vulnerabilities that impact a broad swath of Internet of Things (IoT) devices.

Scope and Impact of Ripple20

IoT devices are an unseen threat that lurks in the corner of every network. There are literally hundreds of millions of IoT devices in use around the world running medical devices, uninterruptable power supplies, industrial automation, and other critical equipment.

A blog post from JSOF describing Ripple20 explains, “The JSOF research lab has discovered a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. The 19 vulnerabilities, given the name Ripple20, affect hundreds of millions of devices (or more) and include multiple remote code execution vulnerabilities. The risks inherent in this situation are high.”

This is one of the biggest and most significant vulnerability disclosures in years. These vulnerabilities are at the root of a long and complex supply chain. Flaws in core technologies are multiplies and amplified as the reach of the vulnerability grows, while also making it very difficult—if not impossible—to confidently track all permutations and vendors affected.

The Ripple20 vulnerabilities pose a significant risk if successfully exploited. At the time of writing, there are 21 confirmed vulnerable vendors, including Cisco, HP, Dell, Intel, and Rockwell Automation. An additional 52 vendors—names like Apple, IBM, Broadcom, and Sony—are continuing to investigate to determine the possible impact of Ripple20 on their products.

Mitigating Risk from Ripple20

IoT vendors need to determine if they are using a vulnerable Treck stack and take steps to understand the risks, update to the latest version of Treck, and disable vulnerable features on any devices that can’t be updated.

Organizations using IoT devices at risk from the Ripple20 vulnerabilities should start by updating vulnerable devices if possible. If there are vulnerable devices that can’t be updated, you should minimize network exposure for critical devices and make sure vulnerable devices can’t be accessed from the public internet. You should also take steps to identify and block anomalous IP traffic and block network attacks via deep packet inspection.

Protecting Alert Logic Customers

The Alert Logic team analyzed the Ripple20 vulnerabilities and was able to identify a telltale fingerprint of the Treck stack which is consistent across multiple hardware vendors. That enabled us to develop a single, efficient unauthenticated safe scan check to reduce exposure to risk from Ripple20 for Alert Logic customers.

Alert Logic recommends that customers review their scan reports for Ripple20 vulnerabilities and contact their IoT vendors for patches. Telemetry signatures has been deployed to Alert Logic sensors, which will allow us to spot unusual activity specific to this vulnerability. At this time, we have not seen any specific attacks in the wild.

About the Author

Jesper Jurcenoks - Sr. Product Manager - Vulnerability Assessment / Scanning

Jesper Jurcenoks

Jesper Jurcenoks, who got his first permanent employment in computers at the age of 15, has more than 35 years of experience in Software Development. The last 15 years 100% focused on Vulnerability Assessment, where he has been awarded SC Magazine 5 Star reviews 7 times (2008-2014),  Won SC Magazine Innovator Of the Year 2010, SC Magazine Best Buy 2011, Cyber Security Excellence Award 2016 in Vulnerability Management. Joined Alert Logic as part of the Acquisition of Critical Watch Dec 2014 where he was VP of Security Research.

Email Me | More Posts by Jesper Jurcenoks