Detecting and Mitigating Ripple20 Vulnerabilities

JSOF recently published information on 19 vulnerabilities they found in the Treck TCP/IP stack used by many device manufacturers that enables their devices to communicate over a network. The vulnerabilities were originally discovered in September of last year.

While there is no indication that these vulnerabilities have been exploited in the wild, any threat to the TCP/IP stack impacts the fundamental networking core of a device. The vendor list of vulnerable devices is long, and JSOF has confirmed the impact to 15 vendors including Baxter, Intel, Caterpillar, Cisco, Aruba, HP, and Xerox; all have issued their own advisories and patches.

However, the list of affected devices continues to grow as this vulnerability has been present inside the Treck stack for likely more than 20 years and implemented in millions of devices since then. Organizations need to assess their exposure by identifying any vulnerable assets in their inventory, and then respond by either patching or implementing compensating controls to protect at-risk devices.

Ordr now offers a solution for organizations to detect and mitigate risks from Ripple20 vulnerabilities. Ordr Systems Control Engine (SCE) can:

  • Identify vulnerable assets impacted by Ripple20 via our new Ripple20 scanner
  • Passively identify devices that are vulnerable to Ripple20 through device classification comparisons with known vulnerable device lists
  • Detect active exploitation of Ripple20 using our built-in intrusion detection engine
  • Proactively protect devices from Ripple20 attacks by dynamically generating policies and enforcing them on network devices or next-generation firewalls.

For more information, please refer to our security bulletin here. The Ordr solution for Ripple20 will be available in the 7.2.7 release and also simultaneously deployed and supported in 7.2.5 and 7.2.6 which are already live at customer sites.

We thank JSOF for their support and collaboration.