Urgent patching or decommissioning of affected devices is needed because hackers can evade EDR and NGFW detection.

A major threat has been found in a low-level TCP/IP software library developed by Treck Inc that is commonly used by device manufacturers across many industries, including utilities, healthcare, government, and academia. The impact of this threat ripples through complex software supply chains, making it a difficult vulnerability to mitigate, according to cybersecurity firm ExtraHop.

A series of 19 vulnerabilities found in the Treck networking stack has been termed the Ripple20, and if affected software goes undetected and unpatched, the potential impact could be far-reaching, said the threat researchers. Analyzing data across its customer base, ExtraHop found that 35% of IT environments are vulnerable to Ripple20.

It started in June

The JSOF threat research organization initially found the Ripple20 vulnerability (CVE-2020-11901) in June 2020, and unveiled the details to impacted device manufacturers and security vendors to give them ample time to deploy patches and create detections before releasing their findings to the general public.

The ExtraHop threat research team then studied their own customer data and discovered vulnerable software in one out of every three IT environments in its portfolio. With industry average dwell times hovering around 56 days, these devices are a ticking time bomb if left unpatched. The firm’s experts predict that this exploit will be widely used by attackers as an easy backdoor into networks across industries around the globe.

Said Jeff Costlow, CISO, ExtraHop: “The devices that utilize the Treck stack are far-reaching with the potential for vast exploitation.  A threat actor could conceivably use this vulnerability to hide malicious code in the embedded devices for an extended period of time, and traditional endpoint or perimeter security solutions such as Endpoint Detection & Response and Nextgen Firewall will not have visibility into this set of exploits.”

Added the firm’s said Vice President of Asia Pacific and Japan, David Sajoto: “The potential applications of IoT across various industries including manufacturing are promising, but the risks the technology brings also cannot be ignored. Organizations must rise above the noise and gain visibility across their IT infrastructure to ensure security. With improved security posture, businesses stand to benefit more from their digitalization and modernization efforts.”

Visibility and behavioral analysis of managed and unmanaged devices, including IoT, and visibility into unusual activity from potentially-exploited devices within an organization’s east-west traffic, are table stakes for a secure network, say ExtraHop’s researchers. Organizations can take a number of steps to help mitigate the risk from Ripple20 vulnerability:

  • Patching: Vendors utilizing the Treck Software were given early access to the threat details so they could start producing patches immediately. Unfortunately, support for a large number of devices has been discontinued, which has made it difficult to account for all vulnerable device makes and models.
  • Removal from service: If a patch is unavailable for the affected device, it is recommended that organizations consider removing devices from service entirely and replacing them with known secure devices. Removing the device will improve hygiene and compliance, critical for keeping environments secure.
  • Monitor for scanning activity: Before a vulnerable device can be compromised, attackers must first find it. Organizations will need to assess their own practices to understand and monitor which scans are legitimate and which could indicate malicious intent.
  • Exploit detection: Because not all vulnerable devices may be identified and patched, it is crucial that organizations detect unusual activity resulting from a Ripple20 exploit as it occurs, such as lateral movement and privilege escalation. Network-based detection is a requirement in this case because embedded devices that use the Treck software will not support endpoint agents.

Finally, it is recommended to isolate vulnerable devices if it is not possible to patch affected devices.  Verify that these devices are not publicly accessible, move devices them to an isolated network segment, then drop all IP-in-IP traffic and IPv6 traffic (where applicable) destined for affected devices.