Millions of Internet-connected devices are at risk
The Homeland Security Department and CISA ICS-CERT has just released an urgent security alert warning of over a dozen of vulnerabilities that have been found affecting billions of Internet-linked appliances made by more than 500 vendors worldwide.
The set of vulnerabilities has been found in Treck’s low-level TCP/IP software library and has been named “Ripple20”. If exploited, the detected flaws can allow remote attackers to gain full control over targeted devices without user interaction.
The Israeli cybersecurity company JSOF, who detected these flaws, informs that the devices that are affected by the Treck’s low-level TCP/IP software library vulnerabilities are currently being used in different industries, including customer homes, medical, health care, enterprises, data centers, telecoms, oil , gas, nuclear, transportation and even critical infrastructure sectors.
The researchers explain that, through these flaws, malicious actors can steal data out of a printer, modify the behavior of an infusion pump or another Internet-connected health device, manipulate the operation of an industrial control system or cause it to malfunction. According to them, only one of the vulnerabilities could allow for the entry of potential dangers from outside into the network.
Among all the listed issues, four are the critical vulnerabilities in Treck TCP/IP stack that can allow an attacker to remotely execute malicious code on a target device. One critical bug is affecting the DNS protocol. The rest of the vulnerabilities vary in terms of severity and range from a Denial of Service to a possible execution for remote code, according to the published report. More information on the remaining vulnerabilities can be found in the released advisory from the US government.
The JSOF cybersecurity researches reported their findings to Treck company, who then fixed most of the flaws with the release of TCP/IP stack version 18.104.22.168 or above. In addition to these measures, researchers have contacted more than 500 impacted equipment suppliers and device manufacturers, including HP, Intel, Rockwell, Schneider Electric, and Caterpillar. Many of them have already addressed the vulnerabilities and some are still evaluating the flaws’ effects on their products.
The Researchers revealed that, the disclosure of the detected flaws has been postponed two times after requests came from affected vendors for more time for reaction due to the coronavirus situation. After the period was extended from 90 to over 120 days, however, in their view, some of the companies made extra demands and seemed more concerned about their brand’s image rather than patching the vulnerabilities.
Following the current situation, a lot of companies would be unable to respond quickly to the Ripple20 vulnerabilities and the security patch updates for millions of devices may not happen anytime soon. Thus, researchers and ICS-CERT have recommended to users and organizations to:
- Reduce network visibility to all control systems devices and/or system and make sure they are inaccessible from the Internet.
- Find and separate networks of control systems and remote devices from company networks and hide them behind firewalls.
- In addition, it is also suggested that the devices be securely linked to the Internet or Cloud-based services through virtual private networks (VPN).
In its advisory, CISA has asked the organizations affected by the Ripple20 flaws to perform adequate analysis and risk evaluation before adopting protective measures.