Ripple20 – Detect and Isolate Vulnerable Devices at Risk

The Ripple 20 vulnerabilities recently announced continue to be discussed regarding how vast the problem really is as well as the number and critical nature of some of the vulnerabilities. Multiple articles have been published which leaves Cybersecurity professionals with a plethora of information and some high-level recommendations on potential mitigation options. Today, we will discuss some very specific steps that can be taken using Genian NAC to help identify potentially affected devices on your network.

First, we will recap the problem at hand. The short story is the TCP/IP stack in many devices worldwide is where the flaws are located. One BleepingComputer article covers the details of the vulnerabilities including some of the more nasty ones as noted below.

“Of the Ripple20 batch, four bugs are critical. Two of them (remote code execution CVE-2020-11896 and CVE-2020-11897) have the highest severity score (10 out of 10) and the other two are rated 9.0 (CVE-2020-11901) and 9.1 (an information leak, CVE-2020-11898).”

In a second article, the author elaborates more on the impact to various verticals which is significant.

The article also points out some of the specific models from vendors that have been confirmed as being affected by the vulnerabilities. Let us examine one of those vendors, Cisco, and some of the networking and other equipment that has been confirmed as vulnerable. Although this list is sure to grow, if you are a Cisco shop, this is a good place to start.

Here are the Cisco models listed with their associated bug IDs.

The goal here will be identify if any of these models show up on the network among the existing Cisco gear, group them together by Platform type, restrict or modify permissions (if desired) and automatically notify Admins. Let’s start with the first step – Identify.

Step 1: Identify Platforms

Leveraging Genians Device Platform Intelligence, a Genian NAC Sensor can be deployed on the network rapidly to non-intrusively identify all IP-enabled devices on a network. Sensors can be deployed as intel-based hardware, virtual instances or even utilizing the recently added Windows Sensor Agent Plugin which allows a Windows machine to act as a Sensor. Whichever method is chosen, it will quickly identify all connected devices including Cisco devices.

To identify these devices, we will create a Node Group and Enforcement Policy in the Genian NAC UI. The Node Group will list the Cisco confirmed vulnerable devices from the list above and the Enforcement Policy will allow for options later on for isolating or restricting the devices. In this case, since we are talking about networking gear, we will skip restricting access.

Segment Ripple20 vulnerable devices

Enforce Policies to Ripple20 vulnerable devices

Step 2: Configure Notifications & Node Tagging

Next, we will configure a Log Filter. The Log Filter will serve a dual purpose. First, it will trigger notification options so Admins are aware that a vulnerable device is on the network. In this case we have enabled both an email option as well as a Slack option. Second, it will be used to dynamically assign a Node Tag to any node detected that matches the Platform types listed in the Node Group.

Email Notification

Webhook

Tag

Step 3: Validate Node Tagging

Once the configurations are in place, a matching log entry similar to the example below will be posted. In this example, a Cisco device has matched and this has triggered the assignment of a Ripple20 Node Tag. This Tag is one of the components that can be utilized by an Admin later to optionally restrict access for the device.
Reviewing the list of Cisco devices discovered by the Sensor and presented in the UI, we see the device that was tagged with the Ripple20 Tag while other Cisco devices, since they are not in the Node Group of vulnerable devices, were not tagged.

Step 4: Validate Notifications

Next, we will validate both forms of notifications.  By checking the email account associated with the email notification option, we will find an alert email was received.

Utilizing the Genian NAC Webhook Integration for Slack, when we check the integrated Slack channel, we see that notifications are being received in Slack as well any time this event occurs.

Ripple20 will be with us for some time and navigating through how to mitigate these vulnerabilities requires a tiered approach of granular visibility on all types of networks, including remote networks with IoT, ICS and networking equipment. Having a non-disruptive, rapidly deployable option for network visibility is key. Once visibility is obtained, having an automated system configured to classify and optionally restrict access with no manual intervention by security Admins ensures the mitigation process does not become human intensive. And finally, flexible notification options are key in today’s workplace. This includes the option to push notifications via email, Slack, Teams, ServiceNow or other collaborative tools that are more and more prevalent in the dynamic work environment that the average Cybersecurity professional finds themselves active in today.

Stay tuned for a future blog on Ripple20 where we will discuss a different approach using CVE related information correlated to active nodes to identify nodes requiring mitigation.

Scroll to Top

We use cookies to help improve this website and enhance your browsing experience You can change your cookie settings at any time. • Privacy • Terms