Researchers discover that one in three IT environments are vulnerable to Ripple20 threat
- Published: Friday, 11 September 2020 08:34
ExtraHop has issued a report warning of the potential impact of Ripple20 vulnerabilities if affected software goes undetected and unpatched. Analyzing data across its customer base, ExtraHop threat researchers found that 35 percent of IT environments are vulnerable to Ripple20.
The Ripple20 threat is a series of 19 vulnerabilities found in the Treck networking stack, a low-level TCP/IP software library developed by Treck Inc. that is commonly used by device manufacturers across many industries, including utilities, healthcare, government, and academia. The impact of this threat ‘ripples’ through complex software supply chains, making it a difficult vulnerability to mitigate.
The JSOF threat research organization found the Ripple20 vulnerability (CVE-2020-11901) in June 2020, and provided the details to impacted device manufacturers and security vendors to give them time to deploy patches and create detections before releasing their findings to the general public. The ExtraHop threat research team studied customer data and discovered vulnerable software in one out of every three IT environments. With industry average dwell times hovering around 56 days, these devices are ‘a ticking time bomb if left alone’ according to ExtraHop. ExtraHop experts predict that this exploit will be widely used by attackers as an easy backdoor into networks across industries around the globe.
ExtraHop says that organizations can take a number of steps to help mitigate the risk from Ripple20:
- Patching: Vendors utilizing the Treck Software were given early access to the threat details so they could start producing patches immediately. Unfortunately, a large number of devices have discontinued support which has made it difficult to account for all vulnerable device makes and models.
- Removal from Service: if a patch is unavailable for the affected device, it’s recommended that organizations consider removing devices from service entirely and replacing them with known secure devices. Removing the device will improve hygiene and compliance, critical for keeping environments secure.
- Monitor for Scanning Activity: before a vulnerable device can be compromised, attackers must first find it. Organizations will need to assess their own practices to understand and monitor which scans are legitimate and which could indicate malicious intent.
- Exploit Detection: because not all vulnerable devices may be identified and patched, it is crucial that organizations detect unusual activity resulting from a Ripple20 exploit as it occurs, such as lateral movement and privilege escalation. Network-based detection is a requirement in this case because embedded devices that use the Treck software will not support endpoint agents.
- Isolate Vulnerable Devices: in circumstances where it is not possible to patch affected devices, it is recommended that security teams take the following steps:
- Verify devices are not publicly accessible
- Move devices to a network segment isolated from local subnets
- Drop all IP-in-IP traffic destined for affected devices
- Drop all IPv6 traffic destined for affected devices.