Security is a necessary evil constantly presenting manufacturers with new challenges. And, since JSOF discovered and disclosed the 19 zero day vulnerabilities known as Ripple20, security organizations have been diligently looking for ways to adequately protect connected environments. After all, vulnerabilities of this nature could create costly holes enabling unsavory characters access to data not only within IT networks, but also operational technology and remote access tools common within the pandemic-induced new normal.
The recently announced research collaboration between McAfee Advanced Threat Research (ATR) and JSOF is a prime example. Through this research collaboration, McAfee ATR has produced signatures and the industry’s first comprehensive detection logic, designed for network administrators and security personnel looking to further understand these vulnerabilities and defend against exploitation.
“We often advocate for collaboration; with this research effort we’ve highlighted just how effective it can be when we work together,” said Steve Povolny, head of McAfee ATR. “Shortly after the initial Ripple20 disclosure McAfee ATR and JSOF connected with a shared goal: combine the depth and breadth of McAfee’s expertise, as one of the world’s largest cybersecurity companies, with the talented vulnerability research team at JSOF to deliver substantive and actionable mitigations for the most critical disclosed vulnerabilities. Developed for network administrators, the detection logic and signatures were thoughtfully created to help address the most impactful vulnerabilities with a great amount of specificity, detecting problems at the root and taking into account practical situations and real-world considerations.”
Povolny tells IndustryWeek, the Ripple20 vulnerabilities made quite a splash when they landed publicly in June. “The Treck TCP/IP networking stack is used extensively across many industries, especially prevalent in IoT devices deployed across key verticals of enterprise, industrial controls, healthcare and many more. Many of the vulnerabilities reported had lower criticality scores based on the difficulty of exploitation, local versus remote access, and severity of impact. However, four vulnerabilities stood out to us,” he says. “They all had high severity scores and were potentially easy to exploit. Additionally, vendors in numerous industries are still racing to provide or implement patches for the flaws, which can take months or longer in many cases. We worked closely with JSOF, who found these vulnerabilities, to leverage our experts in vulnerability analysis on both teams, and McAfee ATR was able to produce comprehensive detection and rules for these top vulnerabilities.”
This will be critical to both vendors and manufacturers who often face the daunting task of identifying and patching vulnerabilities in devices that are rarely updated and often difficult to patch given their primary functions, explains Povolny. “In the meantime, they can rely on these virtual patches, implement custom detection logic using network security solutions or use the open-source tools on which our rules were based, to achieve coverage for the critical flaws.” Full details of the two most critical vulnerabilities are being presented by JSOF at Black Hat.
The Ripple20 vulnerabilities affect a variety of traditional and IoT devices manufactured by multiple vendors, the impact of which ranges from denial of service to full remote code exploitation over the internet. McAfee ATR focused on developing signatures and detection logic for the four most critical and likely to be exploited vulnerabilities, with the goal of supporting network administrators in determining if their environment contains the conditions required for an attack.
“At JSOF we always strive to engage in cutting edge research, that will have a direct impact on the security community and the security of vendors and asset owners. We are happy to have been able to collaborate to achieve this goal and produce high-quality exploit detection signatures and logic that can be used by the entire community,” said Shlomi Oberman, CEO of JSOF. “These signatures and detection logic will help organizations better understand and protect against the Ripple20 vulnerabilities. The outcomes of this collaboration could only have been developed through JSOF as the vulnerability finders and experts together with the researchers at McAfee and their unique expertise and understanding of detection logic and the needs of asset owners. We hope that the industry sees more collaborations like this from all stakeholders going forward, to develop ways to prevent and mitigate future Ripple-effect supply chain vulnerabilities.