A large number of organizations around the world could be open to cyberattacks from vulnerabilities buried in the Internet stack of millions of embedded devices such as printers, VoIP phone systems and medical infusion pumps, warns a cybersecurity company.
ExtraHop Networks issued the alert this week after investigating the potential impact of 19 vulnerabilities dubbed Ripple20 found in devices that contain the low-level TCP/IP software library developed by Cincinatti-based Treck Inc.
The package of bugs, which has been distributed for years, was announced in June by Israeli researchers at a security consultancy called JSOF, Ripple20 earned its name because the stack is so widely distributed in products the potential effect can ripple through supply chains around the world.
The researchers said the stack can be found in printers, VoIP products and other devices made by HP, Ricoh, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors in the medical, transportation, industrial control, enterprise, energy, telecom, retail and commerce fields.
ExtraHop, which makes network visibility and detection solutions, took the research a step further by analyzing 15 million devices on its customers’ networks to figure that 35 per cent of them could be vulnerable. That number could be low, it adds, because some customers don’t monitor their IoT or campus networks.
“Identifying vulnerable devices in your environment can be difficult due to the widespread use of the Treck network stack in the firmware of devices such as printers, backup batteries, industrial controllers, and more,” says ExtraHop. “While patches have been issued by Treck for all 19 vulnerabilities, due to the age and nature of these devices, patching may prove difficult or impossible.”
JSOF notes that due to collaboration with other companies the Treck stack could also be known as Elmic, Net+ OS, Quadnet, GHNET v2 and Kwiknet.
Four of the Ripple20 vulnerabilities are rated critical, with CVSS scores over nine and enable Remote Code Execution, says JSOF. One of the critical vulnerabilities is in the DNS protocol and may potentially be exploitable by a sophisticated attacker over the internet, from outside the network boundaries, even on devices that are not connected to the internet.
Most of the vulnerabilities are true Zero-days, the researchers said, with four of them having been closed over the years as part of routine code changes, but remained open in some of the affected devices (3 lower severity, 1 higher). Many of the vulnerabilities have several variants due to the stack configurability and code changes over the years.
Vendors were given 120 days’ notice to produce patches before JSOF revealed the vulnerabilities, and many are available now. However, it is believed makers of many devices have stopped offering support. ExtraHop says that if a patch is unavailable for an affected device, organizations should consider replacing it with a secure unit. Many of the devices affected by Ripple20 vulnerabilities are inexpensive, ExtraHop adds, especially relative to the risk they pose. They may be old enough to be replaced anyway, it adds.
The Ripple20 disclosure process is being co-ordinated and overseen by multiple national computer emergency response team (CERT) organizations and regulators.
“Over the course of the disclosure process we found that while patching was difficult for some vendors, it could potentially be even more difficult or close to impossible for some end-users to install the patches,” says JSOF. For example, the library may be on a separate physical component, or the company that produced the component has ceased operations.
JSOF urges organizations to perform a comprehensive risk assessment before deploying defensive measures. Manufacturers should determine if they use a vulnerable Treck stack, contact Treck to understand risks and, if possible, update to the latest Treck stack version (188.8.131.52 or higher).
Network operators should update to patched versions of all devices. If devices can’t be updated, it recommends network exposure of affected embedded and critical devices be minimized, ensuring that devices are not accessible from the Internet unless absolutely essential.