Ripple20 is causing shock waves right now across our industry. And for legitimate reasons.   Ripple20 consists of 19 vulnerabilities that have the potential to impact hundreds of millions of end devices, including smart-home devices, industrial control systems, medical and healthcare systems, and even devices used in key parts of infrastructure such as energy, transportation, communication, and the government and national security sectors

If you haven’t been keeping up with all the industry buzz on this topic, here is a brief synopsis from the independent security research company who uncovered the vulnerabilities, JSOF.

• Ripple20 consists of 19 vulnerabilities, 4 of which are deemed critical.
• The vulnerabilities were discovered in a TCP/IP stack, developed by a company called Treck, that is widely used and embedded in IoT devices.
• The Treck TCP/IP stack has been around for more than 20 years…. possibly the vulnerabilities as well. 
• Due to the complexity of the supply chain, determining which IoT devices in your network run this particular TCP/IP stack could represent a formidable undertaking. Treck’s code is licensed and distributed under multiple different names. Therefore, your suppliers may need to reach out to their subcontractors and really dig to determine what specific TCP/IP stack is being used in many of your end devices.
• According to the US Cybersecurity and Infrastructure Security Agency, Industrial Control Systems, and Medical devices are deemed to be the most vulnerable to Ripple20.

To understand the severity of the vulnerabilities, JSOF has assigned scores using the Common Vulnerabilities Scoring System (CVSS) 3.0 – which is a free and open industry standard for assessing vulnerabilities. The CVSSv3.0 scale ranges from 1 to 10 with 10 being the most severe. 

Of the 19 vulnerabilities:

• 4 are critical remote code execution vulnerabilities with a CVSSv3.0 ≥ 9.
• 2 are high with a CVSSv3.0 ≥ 7.
• 13 more have various lower severity, information leaks, DoS, and others.
• Affected protocols within the stack include IPv4, IPv6, UDP, DNS, DHCP, TCP, ICMPv4, and ARP.

What is the impact?

The real danger is that, through these vulnerabilities, an attacker can gain complete control over the targeted IoT device remotely, without user interaction required. This would enable them to render it useless or force it to run any malicious code they choose, such as ransomware. 

Furthermore, for many of these vulnerabilities, the packets sent are very similar to valid packets, or, in some cases are completely valid packets. This enables the attack to pass as legitimate traffic and go undetected by firewalls and threat detection systems. 

To illustrate these dangers, JSOF researchers will be releasing another two white papers following BlackHat USA this year showing how they managed to exploit some of the bugs to switch off a Schneider Electric UPS.

The silver lining to this rather dark cloud is that, according to the US Cybersecurity and Infrastructure Security Agency, there are no known public exploits of these vulnerabilities to date, and it is anticipated that it would take a high skill level for a malicious actor to be able to exploit them.

Regardless, due to the potentially catastrophic impact of a malicious actor gaining control of critical infrastructure or a medical device being used for patient care, it is best to be vigilant and mitigate the risk of these vulnerabilities as quickly as possible.

How to mitigate the risk:  Upgrading and patching the device

The best way to mitigate the risk is, of course, to upgrade or patch any device that is believed to be impacted by these vulnerabilities. Treck, the developer of the TCP/IP stack, has already fixed all issues that were reported and made them available to their customers either through their newest code release (6.0.1.67 or later), or patches. Note that Trek has a vulnerability response website located here.

But patching and upgrading is easier said than done since as mentioned above, even identifying which devices are potentially impacted is complex. Then it is the sheer number of devices, many of them providing business-critical functions – that would need to be patched or upgraded – going back twenty years in time.

The CERT Coordination Center from the Software Engineering Institute at Carnegie Mellon University provides a list of vendors who are known to be impacted by these vulnerabilities. It ranges from printer suppliers, such as Xerox, to suppliers of heavy industrial equipment, such as Caterpillar. As the impact to many suppliers is still unknown, it is best to bookmark this website and refer to it often.

What do you do when upgrading and patching are simply not feasible?

For a variety of reasons, upgrading and patching end devices may not be feasible. In this case, the US Cybersecurity and Infrastructure Security Agency recommend that companies take the following actions:

• Ensure any suspected impacted devices are not accessible by the Internet.
• Isolate all suspected devices away from the business IT network.
• When remote access to the device is required, use a secure VPN that is fully up to date with all necessary security patches and upgrades.

In addition, the CERT CC offers some valuable network mitigations to help protect suspected devices from the risk of attack. These include blocking IP fragmented traffic, and where possible, blocking IP source routing and more.

How Extreme can help

For companies that need to act quickly to protect high-value assets, Extreme’s Defender for IoT solution helps to protect, isolate, and monitor endpoints such as medical devices and even Industrial Control Systems. It is designed to run over any network infrastructure, to quickly and easily enable the secure connectivity of IoT, without requiring any network upgrades or complicated security appliances. It is a fast and easy way to reduce the potential attack surface of any mission-critical devices that are suspected to contain this or other vulnerabilities. 

Defender for IoT offers the following critical functionality:   

Isolates groups of IoT devices in their own IPsec encrypted segment (or Fabric Connect hyper-segment) that extends from the device to the Data Center to limit the visibility of vulnerable devices. These segments can be overlaid over any IP network (Extreme or third party), regardless of its age and its functionality.

Applies whitelist profiles to lock down communication to only authorized hosts, using only authorized protocols or applications.

• Profiles can be dynamically generated based on the devices of normal operating behavior.
• Once a profile is learned, it can be used as-is, modified, and then saved an applied back to the IoT device to only permit traffic that conforms to the policy.

A few longer-term strategies companies can take related to the deployment of infrastructure to enhance IoT security include:

• Deploy a comprehensive end-to-end network segmentation strategy.  Cyber-security experts all agree that IoT devices need to be segmented. This doesn’t mean all IoT devices in a single segment. This means each type of IoT device in its own secure segment. To learn more about segmentation and how fabric technologies such as Extreme’s Fabric Connect can enable simple, scalable, and inherently secure segmentation, please listen to this on-demand webinar with IDG.

• Look to cloud-based infrastructure management for AI/ML-driven insights and comprehensive device fingerprinting.  One of the common challenges with securing IoT, is a lack of visibility into each endpoint connecting to the network.  And you cannot secure what you cannot see.  With ExtremeCloud IQ, we offer synchronization into the world’s largest device fingerprinting database, Fingerbank, so that when an IoT device connects to the network, it is detected and assigned a signature.  Rules can then be applied to control access of that device to only the necessary resources. The other major benefit to the cloud is all the AI/ML-driven insights that can be obtained on the endpoints so that if behavior deviates from normal operating behavior that device can be flagged and quarantined for further investigation.

Important industry resources:

As there is still much to learn about the impacts of these vulnerabilities, here are some valuable websites that you can refer to, to make sure that you are accessing the latest information:

• JSOF Ripple20 website
• Treck Ripple20 response website
• The CERT Coordination Center from the Software Engineering Institute at Carnegie Mellon University (contains list of vendors known to be impacted)
• CERT CC list of network mitigations
• US Cybersecurity and Infrastructure Security Agency
• Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies.
• Black Hat conference in August where more details on the vulnerabilities will be released by JSOF

For more information:

• Listen to this on-demand webinar hosted by Data Equipment AS and presented by Extreme’s Distinguished Engineer, Ed Koehler on IoT Security
• Register and listen to this on-demand webinar with IDG on “Rethinking the Network and Security in the Era of IoT and COVID-19”

Register and download our Top 10 Network Security Best Practices eBook