The Ripple 20 vulnerabilities recently announced continue to be discussed regarding how vast the problem really is as well as the number and critical nature of some of the vulnerabilities. Multiple articles have been published which leaves Cybersecurity professionals with a plethora of information and some high-level recommendations on potential mitigation options. Today, we will discuss some very specific steps that can be taken using Genian NAC to help identify potentially affected devices on your network.
First, we will recap the problem at hand. The short story is the TCP/IP stack in many devices worldwide is where the flaws are located. One BleepingComputer article covers the details of the vulnerabilities including some of the more nasty ones as noted below.
“Of the Ripple20 batch, four bugs are critical. Two of them (remote code execution CVE-2020-11896 and CVE-2020-11897) have the highest severity score (10 out of 10) and the other two are rated 9.0 (CVE-2020-11901) and 9.1 (an information leak, CVE-2020-11898).”
In a second article, the author elaborates more on the impact to various verticals which is significant.
| # | Vertical | Devices Matching Treck Signatures |
|---|---|---|
| 1 | Healthcare | 52,935 |
| 2 | Retail | 8,347 |
| 3 | Manufacturing | 7,333 |
| 4 | Government | 5,904 |
| 5 | Financial Services | 5,225 |
| Others | 11,346 |
The article also points out some of the specific models from vendors that have been confirmed as being affected by the vulnerabilities. Let us examine one of those vendors, Cisco, and some of the networking and other equipment that has been confirmed as vulnerable. Although this list is sure to grow, if you are a Cisco shop, this is a good place to start.
Here are the Cisco models listed with their associated bug IDs.
| Product | Cisco Bug ID | Fixed Release Availability |
|---|---|---|
| Routing and Switching - Enterprise and Service Provider | ||
| Cisco ASR 5000 Series Routers | CSCvu68945 | |
| Cisco GGSN Gateway GPRS Support Node | CSCvu68945 | |
| Cisco IP Services Gateway (IPSG) | CSCvu68945 | |
| Cisco MME Mobility Management Entity | CSCvu68945 | |
| Cisco PDSN/HA Packet Data Serving Node and Home Agent | CSCvu68945 | |
| Cisco PGW Packet Data Network Gateway | CSCvu68945 | |
| Cisco System Architecture Evolution Gateway (SAEGW) | CSCvu68945 | |
Step 1: Identify Platforms
Leveraging Genians Device Platform Intelligence, a Genian NAC Sensor can be deployed on the network rapidly to non-intrusively identify all IP-enabled devices on a network. Sensors can be deployed as intel-based hardware, virtual instances or even utilizing the recently added Windows Sensor Agent Plugin which allows a Windows machine to act as a Sensor. Whichever method is chosen, it will quickly identify all connected devices including Cisco devices.
To identify these devices, we will create a Node Group and Enforcement Policy in the Genian NAC UI. The Node Group will list the Cisco confirmed vulnerable devices from the list above and the Enforcement Policy will allow for options later on for isolating or restricting the devices. In this case, since we are talking about networking gear, we will skip restricting access.
Segment Ripple20 vulnerable devices
Enforce Policies to Ripple20 vulnerable devices
Step 2: Configure Notifications & Node Tagging
Email Notification
Webhook
Tag
Step 3: Validate Node Tagging
Step 4: Validate Notifications
Next, we will validate both forms of notifications. By checking the email account associated with the email notification option, we will find an alert email was received.
Utilizing the Genian NAC Webhook Integration for Slack, when we check the integrated Slack channel, we see that notifications are being received in Slack as well any time this event occurs.
Ripple20 will be with us for some time and navigating through how to mitigate these vulnerabilities requires a tiered approach of granular visibility on all types of networks, including remote networks with IoT, ICS and networking equipment. Having a non-disruptive, rapidly deployable option for network visibility is key. Once visibility is obtained, having an automated system configured to classify and optionally restrict access with no manual intervention by security Admins ensures the mitigation process does not become human intensive. And finally, flexible notification options are key in today’s workplace. This includes the option to push notifications via email, Slack, Teams, ServiceNow or other collaborative tools that are more and more prevalent in the dynamic work environment that the average Cybersecurity professional finds themselves active in today.
Stay tuned for a future blog on Ripple20 where we will discuss a different approach using CVE related information correlated to active nodes to identify nodes requiring mitigation.
