While the modern-day digital ecosystem supports considerable security controls such as encryption, identification, and authentication, however, this has not always been the case. During the initial development and deployment of the early Internet, concerns regarding cybersecurity were largely absent. Consequently, many of today’s commonly used security solutions have been designed and applied piecemeal. That is why it is not surprising that several newly discovered flaws in the underlying network stack infrastructure, unknown and unpatched since the late 1990s, are only being discovered now. For the perpetually growing IoT landscape, the implication of such vulnerabilities can prove to be catastrophic.
A series of zero-day vulnerabilities in an old TCP/IP software library has been uncovered by researchers. Existing vulnerabilities that are unknown to the affected product vendor are commonly referred to as zero-day vulnerabilities. Until the vulnerable systems are patched by the vendor the nature of these flaws will allow these vulnerabilities to be exploited. However, many updates cannot be executed automatically even when the patches are released since they always need human interaction to be installed. While being viewed as the most sought-after prize for cybercriminals to attain and share, zero-day vulnerabilities pose the greatest of threats to information security.
Researchers have discovered 19 such vulnerabilities and have named it Ripple20 to illustrate the “ripple effect” these security defects will have on connected devices for years to come. These flaws originated from the organization that was responsible for developing a high-performance TCP/IP protocol suite for its use in embedded systems by connected device manufacturers.
Given the result of its popularity, these vulnerabilities infiltrated global markets, wearing a cloak of invisibility aided by the supply chain itself.
The knowledge of two primary components of the vulnerability ecosystem is essential when it comes to understanding the software flaws themselves. These include the Common Weakness Enumeration (CWE) values, and the Common Vulnerability Scoring System (CVSS) values. The CWE serves as a common language for describing the nature of the vulnerabilities themselves, while the CVSS scores provide a universal yardstick for measuring their overall severity, even though there many independent variables that dictate the overall classification of these values for each vulnerability in question.
In the context of the Ripple20 vulnerabilities, three of the most common CWE values are CWE-20, CWE-125, and CWE-200. The ability of the system to effectively validate user input, potentially allowing an adversary to execute malevolent code is impacted due to the CWE-20. A CWE-125 flaw could grant an adversary the ability to read memory outside the intended buffer. While the CWE-200 vulnerability could result in the potential exposure of sensitive information. The CVSS scores reflect both the criticality of the flaw and the degree of knowledge required to exploit it as well. Unfortunately, four of the Ripple20 flaws have a CVSS score of 9/10 or higher, which means they can be weaponized for disastrous impact without requiring considerable expertise from the threat actor.
The overall reach and scope of the flaws have significant market implications, even when researchers have provided recommendations to help mitigate the risks of Ripple20. The age of the vulnerable infrastructure itself adds to the complications of this specific challenge as these zero-day vulnerabilities have penetrated into millions of products through numerous vendors. Industrial environments, healthcare, consumer, retail, utilities, aviation, enterprise, transportation, and even national security sectors have all been utilizing the vulnerable network stack library that has been discovered.
A successfully exploited Ripple20 vulnerability can take various forms. An attacker could gain total control over an internal network device, from outside the network perimeter through the internet-facing gateway, if the flaws are exploited properly. An adversary could potentially broaden their attack to target all unpatched components simultaneously if multiple vulnerable devices are discovered. Without ever being noticed a vulnerable device could allow an attacker to exploit its vulnerable components for years. The consequences of these attacks can potentially be life-threatening, depending on the type of device.
Unfortunately, even after being notified that their products are affected and its security fix was provided by the manufacturer, installing the patch has proved to be difficult for many vendors. Furthermore, for vulnerable components that are still in use, this remediation effort can prove impossible if their vendors have shut shop after 20 years of its purchase.
The effort of tracking down all vulnerable components and systems will remain a considerable forensic challenge in the coming years while it represents only one series of flaws. The fragile state of the IoT supply chain becomes clear when combined with similar vulnerabilities that have already been discovered and those that have yet to be uncovered. Throughout the entire lifecycle from development to deployment and through to retirement, without a more concerted effort to improve IoT and network device security the IoT landscape shall remain nearly impossible to secure.
To read more, please check eScan Blog