sb-as logo
Story image

Ripple20 threat could affect 35% of all IT environments – ExtraHop

14 Sep 2020

A series of security vulnerabilities dubbed the ‘Ripple20’ could cripple software supply chains if left undetected and unpatched – that’s the word from security firm ExtraHop, which published a report showing that 35% of all IT environments are vulnerable.

Ripple20 relates to vulnerabilities in the Treck TCP/IP software library that is used by device manufacturers across a range of industries, including government, healthcare, and utilities. The Treck software stack has also been used in devices for more than 20 years.

Of Ripple20’s 19 vulnerabilities, four have been allocated CVEs. These include CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, and CVE-2020-11901. The vulnerabilities have the potential to ‘ripple’ through complex software supply chains, enabling attackers to steal data or execute code.

ExtraHop researchers studied customer data and found that the exploit could be widely used by attackers to gain access into corporate networks – particularly as the average dwell time is a whopping 56 days.

ExtraHop CISO Jeff Costlow says, “The devices that utilise the Treck stack are far-reaching with the potential for vast exploitation.”

“A threat actor could conceivably use this vulnerability to hide malicious code in the embedded devices for an extended period of time, and traditional endpoint or perimeter security solutions like EDR or NGFW will not have visibility into this set of exploits.”

However, security firm JSOF says that it will be difficult to create a definitive list of affected devices due to several reasons. These include a lack of information on sub-licensed products from vendors, 'liberal' use of the Treck code such as repurposing and reuse, and original manufacturers who have long gone out of business.

ExtraHop says that visibility and behavioural analysis of managed and unmanaged devices, including IoT, and visibility into unusual activity from potentially exploited devices within an organisation’s east-west traffic, are table stakes for a secure network.

Organisations should:

  • Patch software: “Vendors utilising the Treck Software were given early access to the threat details so they could start producing patches immediately. Unfortunately, a large number of devices have discontinued support which has made it difficult to account for all vulnerable device makes and models.”
  • Remove any devices unable to be patched
  • Monitor for any malicious scans that could indicate device compromise
  • Implement exploit detection, particularly for lateral movement and privilege escalation.
  • Isolate vulnerable devices by:
    • Verifying devices are not publicly accessible
    • Moving devices to a network segment isolated from local subnets
    • Dropping all IP-in-IP traffic destined for affected devices
    • Dropping all IPv6 traffic destined for affected devices.