Security researchers have discovered a handful of game-changing vulnerabilities that spell trouble for dozens of connected device vendors and their customers. On Tuesday this week security company JSOF unveiled 19 CVEs – four of them critical remote code execution flaws – in a low-level networking software library that render millions of devices vulnerable.
Labeling the discovery Ripple20, the researchers said that the bugs enable attackers to take control of internet-facing devices and then lurk undetected for years. Other risks include mass infections inside a network using a hacked device as a foothold, said their vulnerability analysis. No user interaction is necessary for a hacker to take over your network using these flaws.
Getting in touch with vendors has been a priority for JSOF, which said that 15 were affected as of yesterday, including Cisco, HP, and Schneider Electric. Another 57 were still investigating the effect on their products, including EMC, GE, Broadcom, and NVIDIA. Not affected were AMD, Philips, and Texas Instruments (at least, according to their own reports).
Developer Treck, Inc was the source of these bugs (and has fixed them). The company wrote a low-level TCP/IP library two decades ago that it has licensed to other vendors. Hundreds of millions of devices are now at risk as a result of the bugs. According to JSOF, even tracking down the manufacturers and products using the code was a major challenge. Now, they’ll have to roll the updated software into their products and update old ones where possible.
Keeping new bugs from doing harm is bad enough, but when a piece of code years old has percolated into countless products, taking critical flaws with it, it’s a far more serious issue. Your biggest problem at that point is getting whatever code fixes you manage to create out into the field.
Only basic details of these bugs are available today, but the researchers will be releasing another two white papers following BlackHat USA this year, showing how they managed to exploit some of the bugs to switch off a Schneider Electric UPS.
Until then, the company has listed some advice for device vendors and network operators alike, showing them how to protect equipment that they can’t immediately update.