McAfee Advanced Threat Research (ATR), a leading source for threat research, threat intelligence, and cybersecurity thought leadership, today announced a joint research effort with JSOF, who discovered and responsibly disclosed 19 zero-day vulnerabilities known by the name of Ripple20. Through this research collaboration, McAfee ATR has produced signatures and the industry’s first comprehensive detection logic, designed for network administrators and security personnel looking to further understand these vulnerabilities and defend against exploitation.
“At McAfee Advanced Threat Research we often advocate for collaboration; with this research effort we’ve highlighted just how effective it can be when we work together,” said Steve Povolny, head of McAfee ATR. “Shortly after the initial Ripple20 disclosure McAfee ATR and JSOF connected with a shared goal: combine the depth and breadth of McAfee’s expertise, as one of the world’s largest cybersecurity companies, with the talented vulnerability research team at JSOF to deliver substantive and actionable mitigations for the most critical disclosed vulnerabilities. Developed for network administrators, the detection logic and signatures were thoughtfully created to help address the most impactful vulnerabilities with a great amount of specificity, detecting problems at the root and taking into account practical situations and real-world considerations.”
“At JSOF we always strive to engage in cutting edge research, that will have a direct impact on the security community and the security of vendors and asset owners. We are happy to have been able to collaborate to achieve this goal and produce high-quality exploit detection signatures and logic that can be used by the entire community,” said Shlomi Oberman, CEO of JSOF. “These signatures and detection logic will help organisations better understand and protect against the Ripple20 vulnerabilities. The outcomes of this collaboration could only have been developed through JSOF as the vulnerability finders and experts together with the researchers at McAfee and their unique expertise and understanding of detection logic and the needs of asset owners. We hope that the industry sees more collaborations like this from all stakeholders going forward, to develop ways to prevent and mitigate future Ripple-effect supply chain vulnerabilities.
The Ripple20 vulnerabilities affect a variety of traditional and IoT devices manufactured by multiple vendors, the impact of which ranges from denial of service to full remote code exploitation over the internet. McAfee ATR focused on developing signatures and detection logic for the four most critical and likely to be exploited vulnerabilities, with the goal of supporting network administrators in determining if their environment contains the conditions required for an attack.
The vulnerabilities included in this research are:
- CVE-2020-11897 - Write out-of-bounds using Routing Header type 0
- CVE-2020-11901 - Integer Overflow in tfDnsExpLabelLength
- CVE-2020-11901 (Variant) - RDATA Length Mismatch in DNS CNAME Records
- CVE-2020-11896 - IPv4/UDP Tunneling Remote Code Execution
For more information visit https://github.com/advanced-threat-research/Ripple-20-Detection-Logic