How to Understand Your Exposure and Mitigate Your Risks

A set of 19 zero-day vulnerabilities, Ripple20, has just been announced that could affect hundreds of millions of devices in use today across the globe. JSOF research lab discovered the vulnerabilities in the Treck TCP/IP software library, which has been used for decades by manufacturers building devices for industrial, healthcare, and smart device markets. As a result, we suspect most of our healthcare customers will be affected to some extent and should take steps to identify and mitigate their risks. 

The Potential Impact of the Ripple20 Vulnerabilities  

The widespread use of the Trek software library means the vulnerabilities could potentially affect tens, even hundreds, of millions of devices, including products such as medical devices, data center systems, printers, routers, and critical infrastructure. 

According to the CERT Coordination Center, “the impact of these vulnerabilities will vary due to the combination of build and runtime options used while developing different embedded systems. This diversity of implementations and the lack of supply chain visibility has exasperated the problem of accurately assessing the impact of these vulnerabilities.”

Four of the discovered vulnerabilities have been rated critical because they can enable remote code execution (RCE) and exposure of sensitive information. JSOF noted one of the vulnerabilities is “in the DNS protocol and may potentially be exploitable by a sophisticated attacker over the Internet, from outside the network boundaries, even on devices that are not connected to the Internet.”

How to Protect Your Network

The most direct remedy will be patching the affected devices. However, it is probably going to take time before patches for each and every device affected are available and approved by manufacturers. Plus, from a healthcare delivery organization’s perspective, patching these embedded systems, which may be part of critical systems and infrastructure, can be extremely complicated. Often it requires firmware refreshes or updates that are difficult to orchestrate and manage, particularly when the devices are relied upon for the ongoing delivery of patient care. 

The list of affected vendors and products is being updated daily and includes Intel, Rockwell Automation, Digi, Sandia National Labs, Schneider Electric, HCL Tech, HPE, Green Hills, Maxilinear, Cisco and more.

Therefore, until healthcare systems can confidently patch all affected devices, we recommend the following steps:

1. Identify all affected devices in your network
Make sure you understand all the devices that are running Treck, so you understand where you are potentially vulnerable. 

We can help: Medigate’s deep packet inspection (DPI) can discover and fingerprint all the connected medical and IoT devices in your environment, down to their embedded software; this information can then be used to map the vulnerabilities in your inventory to identify the devices that put you at risk. Medigate is also offering an active scanning tool in order to identify affected devices.

2. Monitor your network
Look for anomalous IP traffic that could be indicative of an exploit and block it to prevent data exfiltration. 

We can help: Because of Medigate’s understanding of IoMT manufacturer-intended protocols and clinical workflows, we can help you accurately detect malicious or out-of-order behavior that should be stopped. 

3. Segment your network to contain risks
Consider segmenting and isolating potentially affected devices to minimize the impact an exploit of one of the vulnerabilities could have on your data and operations. 

We can help: Medigate can recommend clinically vetted segmentation policies, based on device type and function, that can best limit your risk exposure. 

4. Apply patches as they become available
Treck issued a confidential security advisory and patch to its customers in March. Manufacturers are in the process of identifying all their affected products and testing and approving patches that can be used to close the holes the Ripple20 vulnerabilities created. When available, healthcare delivery organizations should apply these patches as soon as possible. 

We can help: With Medigate’s vulnerability mapping, organizations can prioritize and manage the patching of affected systems. 

Contact us today for more information on how we can help you assess and mitigate your risks.