Sources

https://www.jsof-tech.com/ripple20/
https://www.us-cert.gov/ics/advisories/icsa-20-168-01
https://thehackernews.com/2020/06/new-critical-flaws-put-billions-of.html

Risks

Successful exploitation of the mentioned vulnerabilities has an impact on all vertices of the CIA triad: Confidentiality, Integrity and Availability.

The vulnerabilities allow an attacker to bypass NAT and firewalls as well as taking control of devices without any user interaction required. The attack is seen as legitimate traffic and can be leveraged to mass exploit other vulnerable devices.

An overview of possible attack use-case:

1. An attacker can take control over a publicly facing vulnerable device.
      a. The attacker can choose to stay in the network and lay-low for a covert operation while maintaining a foothold.
      b. The attacker can choose to expand his foothold and mass exploit vulnerable devices simultaneously.

Remark: The attacker can perform an attack while being outside the network (man in the middle attack, DNS cache poisoning…) when replying to packets that are leaving network boundaries or bypassing NAT configuration.

Recommended Actions

The CCB recommends system administrators to apply proper patching after thorough testing and to implement extra monitoring & detection mechanisms could give the organization more insight on current and future-related attacks.

Apply updates to the latest version of Treck IP stack software (at least 6.0.1.67 or later).

Treck can be contacted via security[@]treck.com

For more detailed information on the vulnerabilities and the mitigating controls, please see the Treck advisory. Additional vendors affected by the reported vulnerabilities have also released security advisories related to their affected products. Those advisories are as follows:

B.Braun
Caterpillar
Green Hills
Rockwell
Schneider Electric

Block Anomalous IP traffic

As the attacks at hand can pass as legitimate traffic, it is crucial to mitigate your network environment via deep packet inspection.

Possible mitigations :

- Normalize or reject IP fragmented packets (IP Fragments) if not supported in your environment
- Disable or block IP tunnelling, both IPv6-in-IPv4 or IP-in-IP tunnelling if not required
- Block IP source routing and any IPv6 deprecated features like routing headers
- Enforce TCP inspection and reject malformed TCP packets
- Block unused ICMP control messages such MTU Update and Address Mask updates
- Normalize DNS through a secure recursive server or application layer firewall
- Ensure that you are using reliable OSI layer 2 equipment (Ethernet)
- Provide DHCP/DHCPv6 security with feature like DHCP snooping
- Disable or block IPv6 multicast if not used in switching infrastructure

Detect anomalous IP traffic

Suricata IDS has built-in decoder-event rules that can be customized to detect attempts to exploit these vulnerabilities. See the rule below for an example.

#IP-in-IP tunnel with fragments

alert ip any any -> any any (msg:"VU#257161:CVE-2020-11896, CVE-2020-11900 Fragments inside IP-in-IP tunnel https://kb.cert.org/vuls/id/257161"; ip_proto:4; fragbits:M; sid:1367257161; rev:1;)