Security researchers have discovered a handful of game-changing vulnerabilities that spell trouble for dozens of connected device vendors and their customers. On Tuesday this week security company JSOF unveiled 19 CVEs – four of them critical remote code execution flaws – in a low-level networking software library that render millions of devices vulnerable.
Labeling the discovery Ripple20, the researchers said that the bugs enable attackers to take control of internet-facing devices and then lurk undetected for years. Other risks include mass infections inside a network using a hacked device as a foothold, said their vulnerability analysis. No user interaction is necessary for a hacker to take over your network using these flaws.
Getting in touch with vendors has been a priority for JSOF, which said that 15 were affected as of yesterday, including Cisco, HP, and Schneider Electric. Another 57 were still investigating the effect on their products, including EMC, GE, Broadcom, and NVIDIA. Not affected were AMD, Philips, and Texas Instruments (at least, according to their own reports).
Developer Treck, Inc was the source of these bugs (and has fixed them). The company wrote a low-level TCP/IP library two decades ago that it has licensed to other vendors. Hundreds of millions of devices are now at risk as a result of the bugs. According to JSOF, even tracking down the manufacturers and products using the code was a major challenge. Now, they’ll have to roll the updated software into their products and update old ones where possible.
Keeping new bugs from doing harm is bad enough, but when a piece of code years old has percolated into countless products, taking critical flaws with it, it’s a far more serious issue. Your biggest problem at that point is getting whatever code fixes you manage to create out into the field.
Only basic details of these bugs are available today, but the researchers will be releasing another two white papers following BlackHat USA this year, showing how they managed to exploit some of the bugs to switch off a Schneider Electric UPS.
Until then, the company has listed some advice for device vendors and network operators alike, showing them how to protect equipment that they can’t immediately update.
Naked Security
Ripple20 bugs set off wave of security problems in millions of devices
Security researchers have discovered a handful of game-changing vulnerabilities that spell trouble for dozens of connected device vendors and their customers.
Mahhn
2020 just wants to be remembered I guess.
Everything on my disaster bingo card is filled in, except for space invaders,,, so far.
6 Months to go.
Looking forward to the vulnerability test software, no not the infected version, the real one.
jdally987
Yeah I’m not “in” the security field at all really, just sw dev, so maybe it’s just my imagination but I feel like I’ve seen a lot more pretty-serious security bugs pop up in my news feed the past few months, and with COVID I know it would make tons of sense. If I was a script kiddie or especially, even a foreign state power, interested in gathering intelligence on other nations I wasn’t a huge fan of – now would probably be the best time ever to do so, when everybody in the world is largely communicating solely through their keyboards.
Bryan
That, and (theoretically at least) more folks have more time these days to find/investigate/report vulns.
Steve
…or to create and/or to exploit them.