June 29, 2020 by Ben Reardon
Recently, security research group JSOF released 19 vulnerabilities related to the “Treck” TCP/IP stack. This stack exists on many devices as part of the supply chain of many well known IoT/ICS/device vendors. Think 100s of millions/billions of devices and you are in the right ballpark.
The set of vulnerabilities is collectively known as “Ripple20” , and yes – like all big exploits it has its own website https://www.jsof-tech.com/ripple20/ (a fascinating read) and of course a logo. Refer also to the Treck response https://treck.com/vulnerability-reply-information/.
We at Corelight Research have been following developments closely, as there a number of key ingredients that add up to a dangerous situation here.
I could go on and on but the tl;dr is: We need all the protection we can get.
If there is one silver lining, it’s that any discovery or exploit traffic must traverse the network, which of course means that Corelight and Zeek are right in our element.
Today we are open sourcing a Zeek package (https://github.com/corelight/ripple20) that passively detects the presence of some of the tell-tale signs that Treck devices can exhibit. The package also detects when such devices are being scanned by currently available discovery scanners, and when signs of exploitation are observed on the wire.
We hope the open sourcing of this Zeek package helps organizations defend against this threat.
Credit to JSOF who discovered these vulnerabilities and to all of the CERTs and vendors who are currently coordinating discovery and patching efforts.
Feedback on the Zeek package is welcome, as we are keen to refine and improve.
#ICS #IOT #Ripple20 #Zeekurity #Treck #opensource #JSOF