Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Technology

Ripple20 Vulnerabilities Will Haunt the IoT Landscape For Years To Come (zdnet.com) 33

Cyber-security experts have revealed today 19 vulnerabilities in a small library designed in the 90s that has been widely used and integrated into countless of enterprise and consumer-grade products over the last 20+ years. From a report: Affected products include smart home devices, power grid equipment, healthcare systems, industrial gear, transportation systems, printers, routers, mobile/satellite communications equipment, data center devices, commercial aircraft devices, various enterprise solutions, and many others. Experts now fear that all products using this library will most likely remain unpatched due to complex or untracked software supply chains. Problems arise from the fact that the library was not only used by equipment vendors directly but also integrated into other software suites, which means that many companies aren't even aware that they're using this particular piece of code, and the name of the vulnerable library doesn't appear in their code manifests.
This discussion has been archived. No new comments can be posted.

Ripple20 Vulnerabilities Will Haunt the IoT Landscape For Years To Come

Comments Filter:
  • Just like how electrical devices have to go through testing and certification to ensure they wonâ(TM)t catch on fire. Retailers should insist any IoT device has been vetted through at least some basic pen testing. We shouldnâ(TM)t buy from any retailer that doesnâ(TM)t.

    • by gavron ( 1300111 )

      Most electrical devices in the US have the CORD UL listed/approved. The device itself is not. It's cheaper.

      All of this, of course, begs the question of whether UL listed means anything anymore. Underwriters Laboratories does specific tests for insurance companies. Its tabel on your power cord doesn't mean your device is safe.

      E

      • I don't know about devices, buy I wish they would certify USB cables.
      • by sjames ( 1099 )

        Not to mention that UL quietly transitioned to a for-profit company in 2012.

        There are way too many certifications out there that primarily certify that someone wrote a large check. I don't know if the new for-profit UL is one of those or not, but the profit motive certainly does add perverse incentives to the mix.

    • And that helps a 10 year-old device that has since been abandoned by the maker that seemed secure against now 10 year-old exploits how?
      • Comment removed based on user account deletion
        • Protections of law for software and hardware should not be automatic. Rather, they should be dependent on the manufacturer providing the source code/design documentation/etc. (which they must prove actually compiles/builds/etc. into the version sold to the public) into escrow. Once support, development, or the entity ceases to exist, the escrowed information is released to the public.

          This is actually highly analogous to how patents work already - show us how things will work in exchange for the protection

    • by jrumney ( 197329 )

      There is already an ISO/IEC standard for security in networked products that took effect last year. It doesn't help certify them against future exploits that haven't been discovered yet. If you think you can come up with a standard that does, I'm sure the relevant Working Group would love to hear from you.

  • by skids ( 119237 ) on Tuesday June 16, 2020 @12:20PM (#60189608) Homepage

    No, software devs, you do not trust length fields in packets. You use them to verify that the packet you actually received is the correct length based on information from the underlying packet hardware, and if that means you have to keep track of how many bytes remain in the buffer as you descend multiple layers of structure, you indeed must in fact do just that. No shortcuts.

    Also, learn to use unsigned integers, and if your language doesn't have good support for them, that's a bad sign. Pun intended.

    • by raymorris ( 2726007 ) on Tuesday June 16, 2020 @12:49PM (#60189704) Journal

      Specifically, what skids is saying is if you have a packet / structure that has a field of length 50, you better check whether the entire packet is 50 bytes or more! Otherwise you're reading right past the end of the packet and reading unrelated memory.

      Specifically:
      Max-field-length = packet_size - current position

      Somebody check that I don't have a fence post / off-by-one error there. :)

  • by Koen Lefever ( 2543028 ) on Tuesday June 16, 2020 @12:21PM (#60189610)
    ... at least mention in the summary or in the title which library this is about: Treck TCP/IP library [treck.com].
    • It's called baiting the hook. And you clicked!
    • by BeerFartMoron ( 624900 ) on Tuesday June 16, 2020 @12:53PM (#60189716)
      Even better, link the actual vulnerability notice [jsof-tech.com].
      • That notice is just the PR bits. The CVE itself,as linked in your link, triggers a full page popover advertisement to sign up for their who-the-fuck-knows-what.

        This is irresponsible disclosure. Fuck those assholes.

    • Comment removed based on user account deletion
      • by Shotgun ( 30919 )

        They spread the expense over millions of devices sold?

      • I integrated the Treck stack into a product more than a decade ago - it was nicely optimized and had pretty good performance. It was also quite expensive to license. How does this show up in cheap smart home devices? Did they have a free version?

        They stole it. That is why it doesn't show up in software manifests.

      • by tlhIngan ( 30335 )

        I integrated the Treck stack into a product more than a decade ago - it was nicely optimized and had pretty good performance. It was also quite expensive to license. How does this show up in cheap smart home devices? Did they have a free version?

        I doubt it. Embedded TCP/IP stacks are extremely rare these days - they're popular for RTOS that don't have a network stack by default like VxWorks (some old routers used VxWorks as the base OS and presumably embedded a network stack into it).

        Cheap devices, and mode

        • Cheap devices, and modern routers all use Linux as the base OS nowadays

          And those IoS systems are full of XSS, CSRF, SQLI, ancient unpatched binaries, vulnerable services, homebrew insecure protocols, and all the other stuff that makes the IoS so exciting, that there's no need to attack the TCP stack on them.

      • How does this show up in cheap smart home devices?

        It typically doesn't appear much in IoS devices, more embedded/SCADA and the like. Even then I haven't encountered it much, VxWorks have their own stack, Segger, Mentor/Nucleus... oh, wait, Quadros uses the Treck stack. However apart from that a lot of others use LWIP and similar when the RTOS doesn't have a native stack.

        If you want something else to target then, try LWIP. Also FatFS, written by a student in Japan and used by a lot of RTOSes because it's free, BSD-licensed. If you can find vulns in one

    • Clicking on the CVE in the slashvertisement triggers a full page popover, "Sign up for the whitepaper".

      This doesn't seem like responsible disclosure...

  • I love how the jsof-tech website won't load pages without jsdelivr scripts whitelisted. Lookin' good there, security people, lookin' good.

  • Remedy (Score:2, Funny)

    by NotFamous ( 827147 )
    Hydroxychloroquine in moderate doses.
  • by sdinfoserv ( 1793266 ) on Tuesday June 16, 2020 @01:23PM (#60189868)
    If companies actually installed ~supported~ and patched software into their Internet Of Crapware cheapest by a nickel spy devices, the prices of on-going security maintenance would deter customers from buying the stuff.
  • In Mr. Robot, Elliot used one of these exploits to make the UPS systems explode in all the Evil Corp. locations.

  • IoT is just a disaster of unpatched software waiting to happen. All those eager little startups who won't survive 5% as long as their products.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...