The Ripple20 threat (CVE-2020-11896/CVE-2020-11898) announced by JSOF on June 16, 2020 impacts over 50 vendors and hundreds of millions of connected devices across a spectrum of industries. Healthcare organizations are at particular risk since clinical networks are home to inherently-vulnerable connected medical devices and scores of nonmedical IT/IoT and OT devices.
Ripple20 is a series of 19 critical vulnerabilities in the Treck TCP/IP stack, a software library commonly built into devices or embedded in third-party components of operating systems. Many device manufacturers and organizations affected by the vulnerabilities might not be aware they're vulnerable because they don't know their devices contain the library.
Because Ripple20 vulnerabilities can directly jeopardize patient safety, they pose a distinctly serious threat to healthcare organizations. Flaws in the stack enable remote code execution and allow attackers to take total control of targeted medical and IoT devices.
This can lead to the exposure and theft of PHI, a Denial of Service attack and clinical network shutdown, and even tampering with device functionality to interfere with medical treatment (think tampering with dosages of medicine delivered by infusion pumps, or radiation levels delivered by radiology devices).
Ripple20 vulnerabilities are embedded in Treck's TCP/IP Internet protocol suite library. Because the library can be incorporated into larger libraries, used as-is, or reconfigured, it is commonly built into the source codes of a wide variety of medical and nonmedical devices.
Many of these devices are critical to clinical workflows and patient care delivery:
Many undiscovered devices might contain the vulnerable code. However, due to generations of rebranding, formatting, and editing on the part of manufacturers, the original source library remains unidentified, effectively leaving scores of devices unwittingly exposed. Because of the library’s untraceability, there may actually be billions of undiscovered devices compromising networks around the world.
Trek released an update for the TCP/IP stack affected by Ripple20. The new software library (184.108.40.206) can be installed to patch affected devices and address the vulnerabilities. However, patches are released by vendors, leaving devices and their networks exposed until the patch is prepared and installed. In many cases, the vendor responsible for the device component affected by the library can’t be identified, rendering the device unpatchable. Other devices may not be able to be patched at all (i.e. legacy devices with unsupported operating systems).
Hospitals can have tens of thousands of devices on their networks and scoping out those affected by Ripple20 and applying compensating controls manually can be quite the challenge.
Cynerio expedites these processes with automated solutions:
To schedule a free risk assessment and learn which devices on your network are affected by Ripple20 and other vulnerabilities, contact us today.