Recently, JSOF, a boutique cybersecurity organization, discovered a series of vulnerabilities stemming from one small software library that has rippled across the supply chain. These vulnerabilities affect 100's of millions of IoT devices that could potentially allow nefarious actors, including nation-states, to remote take-over of these devices across industries, ranging from telecom, oil/gas, nuclear, medical and many others across critical infrastructure.
According to a press release, the series of zero-day vulnerabilities in a widely used low-level TCP/IP software library is developed by Treck, Inc. These vulnerabilities, given the name Ripple20, affect hundreds of millions of devices (or more), and include multiple remote code execution vulnerabilities.
"The risks inherent in this situation are high. Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks," says JSOF.
The interesting thing about Ripple20, says the cybersecurity company, is the incredible extent of its impact, magnified by the supply chain factor. The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain “ripple-effect.” A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people. Ripple20 reached critical IoT devices from a wide range of fields, involving a diverse group of vendors.
Affected vendors, notes the release, range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries. JSOF has been coordinating with the DHS, the Cybersecurity and Infrastructure Security Agency (CISA), and certs around the globe.
For more information, visit https://www.jsof-tech.com/ripple20/