• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

RIpple20 Causes Waves in Network Security

June 22, 2020 By Trevor Collins

Last week JSOF, a cybersecurity team, released 19 vulnerabilities found in a library developed by Treck, Inc. Two of these include code execution vulnerabilities. According to the report, millions of devices ranging from printers to other embedded networking devices use the Treck library as the TCP/IP stack.

JSOF hasn’t released too many details on most of the vulnerabilities except for the two most critical ones. In both cases, the researchers were able to abuse IP tunneling and packet fragmentation to carry out a buffer overflow attack. This allows malicious code to run without any user input. For those interested in the technical side, JSOF published the white paper on the two vulnerabilities here. (Behind an email gate.)

Treck, Inc has provided networking code for almost 20 years and has integrated into the supply chain of many devices including Intel and HP. Devices with Treck libraries installed seem to mostly come in IoT devices and Programmable Logic Controller (PLC) but we still don’t know the extent of the vulnerable devices.

For devices in your network, patching the vulnerable devices provides the best protection, but not all devices will have patches available. For now, JSOF recommends the following steps to protect your network. We also provide what the Firebox can do to help you with the recommended steps.

  • Normalize or block IP fragments, disable or block IP tunneling, enforced TCP inspection, and reject malformed TCP packets. The Firebox blocks malformed IP packets and TCP segments. Simply having the Firebox route the traffic will cover most attack surfaces.
  • To prevent bypassing perimeter protections, you should block IP source routing, and IPv6 routing The WatchGuard default configuration will block source routing in the Default Packet Handling. Don’t enable this unless you know what it means and you know a program needs this enabled to function.
  • Normalize DNS through a secure recursive server or DNS inspection firewall. The Firebox provides DNS inspection through the DNS proxy.
  • JSOF also recommends securing DHCP and use static IPs if possible. In extreme cases, like protecting critical infrastructure, you may want to disable DHCP. Before you disable DHCP, understand that to send malicious DHCP packets, one must first bypass the firewall and create a DHCP server inside your network. Furthermore, the Firebox won’t allow DHCP packets from one network to another unless configured to do so. To prevent internal attacks, configure any downstream switch with DHCP snooping if supported.

Any device protected by the Firebox isn’t susceptible to this attack unless someone bypasses your network perimeter. As we hear more about this new vulnerability we will update you here. Additionally, WatchGuard doesn’t use Treck software on any Firebox, or AP. All WatchGuard devices are NOT vulnerable.

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use