Almost 20 zero-day vulnerabilities in TCP/IP library, including critical vulnerabilities in the DNS protocol, could result in remote control of devices with the impact further enhanced by ‘supply chain dissemination’.
Security researchers have discovered nearly 20 vulnerabilities in the TCP/IP library used by IoT devices. The flaws could potentially affect 100s of millions of devices worldwide.
Named Ripple20, the range of zero-day vulnerabilities were found in the Trech developed comms stack.
In a blog post from JSOF, 4 of the Ripple20 vulnerabilities are called critical, with CVSS scores over 9 and enable Remote Code Execution. “One of the critical vulnerabilities is in the DNS protocol and may potentially be exploitable by a sophisticated attacker over the internet, from outside the network boundaries, even on devices that are not connected to the internet,” the researchers commented.
They noted the “incredible extent” of its impact, magnified by the supply chain.
“The wide-spread dissemination of the software library & its internal vulnerabilities were a natural consequence of the supply chain “ripple-effect”. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, & people,” they further observed.
Researchers explained that the flaw affected a whole set of vendors, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors.
After being notified, Treck has issued a patch to OEMs.
“While the best response might be to install the original Treck patch, there are many situations in which installing the original patch is not possible. CERTs work to develop alternative approaches that can be used to minimise or effectively eliminate the risk, even if patching is not an option,” cautioned the researchers.
Craig Young, Senior Security Researcher at Tripwire, observed that this situation is a “full-on supply chain disaster”.
“The affected code has apparently permeated out into many products across different verticals including some system-on-module components which in turn are embedded into other products.”
“This is further compounded by the general difficulties often encountered when vendors need to update embedded device components. It is reasonable to expect that many devices will never have fixes available and others will take extended times as fixes work their way through the supply chain. It is not uncommon to see embedded devices without any capability for field upgrades,” he further explained.
Chris Clements, Vice President of Solutions Architecture at Cerberus Sentinel, observed that as more ‘smart’ devices that control sensitive operations like smoke detection, heating & cooling, or even just power outlets are incorporated into homes & offices the risk of them getting hacked can quickly transform from a small annoyance to very real safety issues.
“Even if the IoT devices themselves do not contain any sensitive information, their very presence on a computer network gives an attacker able to compromise them a much more effective vantage point to launch attacks on computers systems that do. Unfortunately, many embedded or IoT devices will not ever receive patches to fix this or future security issues discovered due to abandonment by the manufacturer or even the manufacturer going out of business,” he concluded.