Alert: Digi Devices Affected by Ripple20 Can Be Used in Reflection Attacks
julho 28, 2020
Executive Summary
In recent years, more and more protocols that may cause UDP reflection attacks have come into our sight, such as CoAP[1], Ubiquiti[2], WS-Discovery[3], OpenVPN[4], and a certain DVR protocol[5]. These attack patterns are different from DNS, SSDP, NTP, Memcached, and other reflection attacks that are well familiar to us, posing certain challenges to distributed denial-of-service (DDoS) attack protection.
In June 2020, JSOF, an Israel-based cybersecurity company, revealed that 0-day vulnerabilities in the Treck TCP/IP protocol stack might affect hundreds of millions of devices globally. After analyzing the published whitepapers, we find that the devices produced by Digi, one of the affected vendors, use the Advanced Digi Discovery Protocol (ADDP) for device discovery. ADDP uses 224.0.5.128 as a multicast address and 2362 as its port. But during implementation, ADDP also supports unicast. Besides, it is possible to spoof source IP addresses of UDP packets. Therefore, Digi devices are at risk of being used for reflection attacks.
(mais…)