This one is pretty wild. Ripple20 is a set of 19 zero-day
a widely used low-level TCP/IP software library
developed by Treck, Inc. It gets its name because its position in the
supply chain allowed the library with its vulnerabilities to ripple
outward through hundreds of software and hardware vendors, and from there
into hundreds of millions (maybe more) of devices. Printers,
UPSs, infusion pumps, industrial control devices, ... any kind of thing in
the Internet of Things that has a network connection.
It's been rippling outward since 1997.
It's important to note that it's not in Linux, Windows, iOS, or Android. So it's probably not in your phone or your computer. It might well be in your router, printer, WiFi-connected light switches, TV, or internet-connected refrigerator. And devices containing Wind River's VxWorks aren't affected -- that's the URGENT/11 zero-day vulnerabilities from last year.
And there seem to be only somewhere between 10,000 and 100,000 devices that are actually connected to the internet. Chicken feed.
The vulnerabilities have, of course, been patched by Treck, and sent to their customers. And from there to their customers. And so on. But how many people check for software updates for their printer? (I do.) Is it even possible to install a software patch on a light switch? Is the company that made it still in business? You see the problem.
There are ways you can set up a firewall to block these. If your router manufacturer (or open-source OS project) sends you an update, install it.
- Ripple20 - JSOF
- Zero-day (computing) - Wikipedia
- Ripple20 Bugs Put Hundreds of Millions of IoT Devices at Risk | WIRED
- 'Ripple20' bugs in scores of IoT devices reveal 3rd-party code dangers'
- Ripple20 vulnerabilities will haunt the IoT landscape for years to come | ZDNet
- Ripple20: Flaws in Treck TCP/IP Stack Expose Millions of IoT Devices to Attacks | SecurityWeek.Com
- URGENT/11 Leaves Billions of Devices Open to Cyber Security Risks
- Urgent/11 security flaws impact routers, printers, SCADA, and many IoT devices | ZDNet