Ripple20 Vulnerabilities Will Haunt the IoT Landscape For Years To Come (zdnet.com) 33
Cyber-security experts have revealed today 19 vulnerabilities in a small library designed in the 90s that has been widely used and integrated into countless of enterprise and consumer-grade products over the last 20+ years. From a report: Affected products include smart home devices, power grid equipment, healthcare systems, industrial gear, transportation systems, printers, routers, mobile/satellite communications equipment, data center devices, commercial aircraft devices, various enterprise solutions, and many others. Experts now fear that all products using this library will most likely remain unpatched due to complex or untracked software supply chains. Problems arise from the fact that the library was not only used by equipment vendors directly but also integrated into other software suites, which means that many companies aren't even aware that they're using this particular piece of code, and the name of the vulnerable library doesn't appear in their code manifests.
UL listed (Score:2)
Just like how electrical devices have to go through testing and certification to ensure they wonâ(TM)t catch on fire. Retailers should insist any IoT device has been vetted through at least some basic pen testing. We shouldnâ(TM)t buy from any retailer that doesnâ(TM)t.
Re: (Score:1)
Most electrical devices in the US have the CORD UL listed/approved. The device itself is not. It's cheaper.
All of this, of course, begs the question of whether UL listed means anything anymore. Underwriters Laboratories does specific tests for insurance companies. Its tabel on your power cord doesn't mean your device is safe.
E
Re: UL listed (Score:3)
Re: (Score:2)
Not to mention that UL quietly transitioned to a for-profit company in 2012.
There are way too many certifications out there that primarily certify that someone wrote a large check. I don't know if the new for-profit UL is one of those or not, but the profit motive certainly does add perverse incentives to the mix.
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Protections of law for software and hardware should not be automatic. Rather, they should be dependent on the manufacturer providing the source code/design documentation/etc. (which they must prove actually compiles/builds/etc. into the version sold to the public) into escrow. Once support, development, or the entity ceases to exist, the escrowed information is released to the public.
This is actually highly analogous to how patents work already - show us how things will work in exchange for the protection
Re: (Score:2)
There is already an ISO/IEC standard for security in networked products that took effect last year. It doesn't help certify them against future exploits that haven't been discovered yet. If you think you can come up with a standard that does, I'm sure the relevant Working Group would love to hear from you.
Ahh, packets (Score:3)
No, software devs, you do not trust length fields in packets. You use them to verify that the packet you actually received is the correct length based on information from the underlying packet hardware, and if that means you have to keep track of how many bytes remain in the buffer as you descend multiple layers of structure, you indeed must in fact do just that. No shortcuts.
Also, learn to use unsigned integers, and if your language doesn't have good support for them, that's a bad sign. Pun intended.
Specifically (Score:4, Funny)
Specifically, what skids is saying is if you have a packet / structure that has a field of length 50, you better check whether the entire packet is 50 bytes or more! Otherwise you're reading right past the end of the packet and reading unrelated memory.
Specifically:
Max-field-length = packet_size - current position
Somebody check that I don't have a fence post / off-by-one error there. :)
Come on /. editors... (Score:5, Informative)
Re: (Score:2)
Re:Come on /. editors... (Score:5, Insightful)
Re: (Score:3)
That notice is just the PR bits. The CVE itself,as linked in your link, triggers a full page popover advertisement to sign up for their who-the-fuck-knows-what.
This is irresponsible disclosure. Fuck those assholes.
Re: (Score:3)
Re: (Score:2)
They spread the expense over millions of devices sold?
Re: (Score:2)
Re: (Score:2)
I integrated the Treck stack into a product more than a decade ago - it was nicely optimized and had pretty good performance. It was also quite expensive to license. How does this show up in cheap smart home devices? Did they have a free version?
They stole it. That is why it doesn't show up in software manifests.
Re: (Score:3)
I doubt it. Embedded TCP/IP stacks are extremely rare these days - they're popular for RTOS that don't have a network stack by default like VxWorks (some old routers used VxWorks as the base OS and presumably embedded a network stack into it).
Cheap devices, and mode
Re: (Score:3)
Cheap devices, and modern routers all use Linux as the base OS nowadays
And those IoS systems are full of XSS, CSRF, SQLI, ancient unpatched binaries, vulnerable services, homebrew insecure protocols, and all the other stuff that makes the IoS so exciting, that there's no need to attack the TCP stack on them.
Re: (Score:2)
How does this show up in cheap smart home devices?
It typically doesn't appear much in IoS devices, more embedded/SCADA and the like. Even then I haven't encountered it much, VxWorks have their own stack, Segger, Mentor/Nucleus... oh, wait, Quadros uses the Treck stack. However apart from that a lot of others use LWIP and similar when the RTOS doesn't have a native stack.
If you want something else to target then, try LWIP. Also FatFS, written by a student in Japan and used by a lot of RTOSes because it's free, BSD-licensed. If you can find vulns in one
Re: (Score:2)
Clicking on the CVE in the slashvertisement triggers a full page popover, "Sign up for the whitepaper".
This doesn't seem like responsible disclosure...
Good lesson on not trusting external libraries! (Score:1)
I love how the jsof-tech website won't load pages without jsdelivr scripts whitelisted. Lookin' good there, security people, lookin' good.
Remedy (Score:2, Funny)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You get what you pay for (Score:3)
This isn't new ... (Score:1)
In Mr. Robot, Elliot used one of these exploits to make the UPS systems explode in all the Evil Corp. locations.
Least of their worries (Score:2)
IoT is just a disaster of unpatched software waiting to happen. All those eager little startups who won't survive 5% as long as their products.