A range of security vulnerabilities called the ‘Ripple20’ could paralyze the software supply chains if left under the radar and uncorrected – that’s the advice from security firm ExtraHop, which published a paper explaining that 35% of all IT environments are exposed.
Ripple20 links to weak points in the Treck TCP/IP software library used by device manufacturers across various industries, including government, healthcare, and utilities. The Treck software stack has also been used in devices for more than 20 years.
Of Ripple20’s 19 vulnerabilities, four have been allotted CVEs. These involve CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, and CVE-2020-11901. The vulnerabilities can ‘ripple‘ through complex software supply chains, allowing hackers to steal data or execute code.
ExtraHop researchers analyzed customer data and found that the exploit could be extensively utilized to gain access into corporate networks – especially as the average dwell time is a whopping 56 days.
ExtraHop CISO Jeff Costlow says, “The devices that utilize the Treck stack are far-reaching with the potential for vast exploitation.“
“A threat actor could conceivably use this vulnerability to hide malicious code in the embedded devices for an extended period of time, and traditional endpoint or perimeter security solutions like EDR or NGFW will not have visibility into this set of exploits.”
Nevertheless, security firm JSOF says that it won’t be that easy to create a comprehensive list of affected devices due to numerous reasons. These incorporate a lack of information on sub-licensed products from vendors, ‘liberal’ use of the Treck code such as repurposing and reuse, and original manufacturers. They have long gone out of business.
ExtraHop says that perceptibility and behavioral analysis of controlled and uncontrolled devices, including IoT, and distinctness into unusual activity from conceivably exploited devices within an organization’s east-west traffic, are table stakes for a secure network.
- Patch software: “Vendors utilizing the Treck Software were given early access to the threat details so they could start producing patches immediately. Unfortunately, a large number of devices have discontinued support which has made it difficult to account for all vulnerable device makes and models.“
- Eliminate any devices unable to be patched.
- Have a watchful eye on any malicious scans that could mean the device has been compromised
- Execute exploit detection, particularly for lateral movement and privilege escalation.
- Detach vulnerable devices by:
- Confirming that devices are not publicly accessible.
- Transferring devices to a network segment isolated from local subnets
- Filtering all IP-in-IP traffic destined for affected devices
- Dumping all IPv6 traffic destined for affected devices.