How to Close the Door on Ripple20 Vulnerabilities by Combining Local Security with Software Defined Perimeters

By Don Boxley, co-founder, and CEO, DH2i []

Cybersecurity researchers at the independent security research group JSOF recently discovered at least 19 security vulnerabilities that are found at the base of almost all Internet of Things (IoT) products. The zero-day vulnerabilities were found in a TCP/IP software library that Treck, Inc. developed — the software library is widely used in IoT devices, and the supply chain amplifies the vulnerabilities. According to the researchers, this series of vulnerabilities — dubbed “Ripple20” not for the number of vulnerabilities but for their impact and ripple effect on internet-connected devices in 2020 — affects “hundreds of millions of devices (or more) and include[s] multiple remote code execution vulnerabilities.”

On the JSOF website, the researchers spell out just how high the inherent risks are in this situation, giving the following as examples of potential consequences of these 19 vulnerabilities. Attackers could:

  • Steal data off of a printer
  • Change an infusion pump’s behavior
  • Create malfunctions in industrial control devices
  • Hide malicious code within embedded devices that stay there for years
  • Enable outside entry into network boundaries

On June 16, 2020, recognizing the validity and danger of these vulnerabilities, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a critical security advisory. “A remote attacker can exploit some of these vulnerabilities to take control of an affected system,” CISA warned, noting that these affect “Treck IP stack implementations for embedded systems.” You can read a July 15 update to this advisory here that provides a detailed overview of each of the 19 vulnerabilities.

The CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute (SEI) also published a Vulnerability Note about this issue, stating that most of the 19 vulnerabilities “are caused by memory management bugs” and “likely affect industrial control systems and medical devices.” The SEI summarized the situation by stating that “a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause a denial of service, disclose information, or execute arbitrary code.”

In short, many cybersecurity experts believe that we have just begun to discover the magnitude of the danger that Ripple20 represents, and even with fixes and patches from the manufacturer, the problem won’t go away easily. There are two potential solutions: local security solutions and software-defined perimeters (SDP). While some local security solutions have proven ability to provide endpoint security for hybrid environments and cloud-based security to protect data as it moves from cloud to cloud and within clouds, deployed alone they may not be able to do the trick.

It’s the same with SDP solutions, which can hide the IoT devices from the general public, by use of SDP’s micro-tunnels at the application-level. These give network administrators the ability to segment users and devices at the application level rather than the network level. The benefits of this include diminishing the threat of lateral network attacks. SDP achieves this outcome by setting strong limits on remote users, allowing them access only to the applications they require, with no need for access control lists or firewall policies.

SDP also enables IoT devices and gateways to communicate with directly to one another by providing discreet, private and secure network communications over untrusted networks, such as the public internet via User Datagram Protocol (UDP). Companies can thus gain secure connectivity by using randomly generated, non-standard UDP ports for on-demand micro-tunnel communications, requiring only one UDP message channel between IoT devices and gateways. This helps to secure IoT devices leaving no open ports, all but eliminating any surfaces that could remain vulnerable to network attacks.

SDP solutions are also multi-cloud ready, since placing all operations in a single cloud server is risky. SDP software allows for spreading workloads across more than one cloud, which works because of the application-specific micro-tunnels that tie them together. This also reduces risk in case of outages, allowing companies to shift operations as needed from cloud to cloud.

Despite the advantages of SDP, though, if the IoT devices with vulnerabilities from the Trek TCP/IP stack are accessible over the local area network, then the devices will still be vulnerable to attacks. At the end of the day, SDP is a transport layer that can provide private and hidden paths for exclusive data hideaways, but local security for such protected destinations is still local. This is why users need to layer both solutions. When local and SDP solutions are paired, together they present a virtually unassailable defense, which will help safeguard the companies that use this double-tiered strategy from suffering the consequences that can result from Ripple20 vulnerabilities.

About the Author

Don Boxley AuthorDon Boxley Jr is a DH2i co-founder and CEO. Prior to DH2i (, Boxley spent more than 20 years in management positions for leading technology companies, including Hewlett-Packard, CoCreate Software, Iomega, TapeWorks Data Storage Systems and Colorado Memory Systems. Don earned his MBA from the Johnson School of Management, Cornell University.

September 19, 2020

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...