ADVISORY: Ripple20 vulnerability advisories, patches, and updates

Posted by & filed under Security Alerts.

The dust is far from settled following the disclosure of the 19 vulnerabilities in the TCP/IP stack from Treck, collectively referred to as Ripple20, which could help attackers take full control of vulnerable devices on the network.

Treck’s code is fundamental for the embedded devices it is implemented on because it bestows network communication to them and is present on gadgets used in a variety of sectors: technology, medical, construction, mining, printing, energy, software, industrial control systems (ICS), telecom, retail, commerce.

The company has notified its customers and issued patches but a week after the Ripple20 announcement from security research group JSOF, the full impact remains unclear.

This is because Treck’s code is licensed and distributed under different names or serves as a foundation for a new network stack.

Concerted efforts from national-level cybersecurity agencies and private companies in the field are ongoing to identify businesses with products vulnerable to issues in the Ripple20 vulnerability set.

Medical devices especially affected

What is clear at the moment, though, is that the healthcare industry is particularly affected and should be on high alert.

Elad Luz, head of research at CyberMDX, a company focused on security in medical devices and involved in identifying vulnerable products, said that initial investigation placed healthcare industry’s exposure at more than seven times than that of manufacturing.

Forescout is also involved in the effort and published on the day of the disclosure that there were six times more vulnerable healthcare-related equipment than in the retail sector. The data represents devices in Forescout Device Cloud that matched Treck signatures.

The most common types of equipment identified by Forescout to run Treck code are infusion pumps, printers, UPS (uninterruptible power supply) systems, networking equipment, point-of-sale devices, IP cameras, video conferencing systems, building automation devices, and ICS devices.

CyberMDX’s investigation found that most radiology devices, glucometers, and lab devices were unaffected. Things are different with infusion pumps, though, which the company found to be “disproportionately affected.”

“Together with our collaborators at JSOF and other organizations, we’ve been able to confirm, for example, that Baxter infusion pumps in the Sigma series are indeed vulnerable as well as some Braun infusion pumps” – CyberMDX

Below you will find a list with companies that have confirmed that their products are vulnerable to at least one vulnerability in the Ripple20 suite.

 

Confirmed Ripple20 impact

Aruba Networks

A preliminary advisory based on an initial investigation is available from Aruba Networks (HPE subsidiary), listing L2/L3 switches produced under the Aruba or HP ProCurve brand names.

“These switches run the ArubaOS-Switch software or its previous name, HP ProVision Operating System. Any switches running ArubaOS-CX or Comware are not affected.”

The full advisory from Aruba Networks containing the switch series affected is available here.

Baxter US

Fortune 500 healthcare company Baxter announced that some of its Spectrum Infusion System’s Wireless Battery Modules are impacted by Ripple20 because they run Digi Net+OS with Treck’s TCP/IP stack:

  • 35083 – b wireless battery module
  • 35162 – b/g wireless battery module
  • 35195 – a/b/g/n wireless battery module
  • 35223 – a/b/g/n wireless battery module
  • 36010 – a/b/g/n wireless battery module

The security bulletin from Baxter US can be found here.

B. Braun

The medical and pharmaceutical device company notified that vulnerable Treck code is present in its Outlook 400ES Safety Infusion Pump System and no other products are affected by the Ripple20 set of issues.

“To date, B. Braun has received 24 patches from Treck to resolve vulnerabilities in the software. We have analyzed the patches and determined that 20 of them are not applicable to the Outlook 400 ES platform (the product is not susceptible to these vulnerabilities). The four remaining patches continue to be analyzed to determine the scope, severity, and impact of each vulnerability” – B. Braun Ripple20 advisory

Beck/HMS Industrial Networks AB

Older products from the company run vulnerable components but most HMS products do not use Treck’s software library.

The company provides a list of products that are not vulnerable and will update it as more products are discovered to be safe from Ripple20. You can read the advisory here.

CareStream

CareStream announced that several of its products may be impacted by Ripple20, promising an updated list on June 26 as other their investigation continues.

  • CR975
  • DIRECTVIEW Max CR System
  • DIRECTVIEW Classic CR System
  • DIRECTVIEW Elite CR System
  • HPX Pro
  • HPX-One

It’s worth noting that both the U.S. CERT Coordination Center at Carnegie Mellon on June 23 lists CareStream equipment as being vulnerable to all Ripple20 vulnerabilities.

You can download CareStream’s advisory from the company’s vulnerability assessment page.

Caterpillar

There is no statement from this company about which of its products are affected but an undisclosed number is vulnerable to Ripple20.

“If you are a customer and would like more information about available remediations, please contact your Cat dealer or global account manager” the company advises.

Cisco

The following routing and switching gear from Cisco is vulnerable to all security flaws disclosed in the Ripple20 advisory from JSOF.

 

Product Cisco Bug ID Fixed Release Availability
Routing and Switching – Enterprise and Service Provider
Cisco ASR 5000 Series Routers CSCvu68945
Cisco GGSN Gateway GPRS Support Node CSCvu68945
Cisco IP Services Gateway (IPSG) CSCvu68945
Cisco MME Mobility Management Entity CSCvu68945
Cisco PDSN/HA Packet Data Serving Node and Home Agent CSCvu68945
Cisco PGW Packet Data Network Gateway CSCvu68945
Cisco System Architecture Evolution Gateway (SAEGW) CSCvu68945

The company is currently investigating its product line to determine if other products are affected by the flaws and will update the advisory with new information.

Digi International

The company found that any embedded device using the NET+OS 7.X software development platform along with the products below are affected by Ripple20:

  • Connect SP
  • Connect ME
  • Connect ES
  • Connect EM
  • Connect WME
  • Connect 9C
  • Connect 9P
  • ConnectPort X4 (all variants)
  • ConnectPort X2 (NOT X2e)
  • ConnectPort TS (Not LTS)
  • AnywhereUSB (excluding Plus)
  • NetSilicon 7520, 9210, 9215,9360, 9750

New firmware versions are available for the products since late April and customers are strongly recommended to install them, the company advises in its security notice.

Green Hills Software

This developer of real-time operating systems (RTOS) and programming tools for embedded devices provides the GHnet v2 network stack, which is based on Treck’s TCP/IP stack.

The code is present in the INTEGRITY RTOS but because it enforces isolation between the kernel and the applications, the impact of Ripple20 is not severe.

The notification from Green Hills Software is posted here: https://support.ghs.com/psirt/PSA-2020-05/

HCL Technologies

An undisclosed number of products from this vendor are vulnerable to Ripple20 but no official statement is currently available on the company’s page for security bulletins.

Hewlett Packard Enterprise (HPE)

No advisory is available at the moment but information is expected to be released in the near future in a security bulletin from the company.

HP Inc. and Samsung

An advisory from the vendor refers to HP and Samsung printer vulnerable to Ripple20. Dozens of then are affected:

  • HP Laser
  • HP LaserJet Pro
  • HP Neverstop Laser
  • Samsung proXpress
  • Samsung MultiXpress
  • HP DeskJet
  • HP OfficeJet
  • HP OfficeJet Pro
  • HP Ink Tank
  • HP Smart Tank

All printers have received new firmware that correct the issues; customers are strongly advised to install the updates, the security bulletin Urges.

Other issues related to the Treck TCP/IP stack in HP products have been inherited from Intel components, reads another advisory from the company.

Intel

Some versions of Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM) are vulnerable to three issues in the Ripple20 set.

An advisory from the company notes that the vulnerabilities had been assigned different tracking numbers before JSOF disclosed their findings but correspond to CVE-2020-11899, CVE-2020-11900, and CVE-2020-11905.

MaxLinear

CyberMDX lists MaxLinear chip maker among the vendors with products affected by Ripple20. The company has not published any statement or advisory naming the impacted devices.

Rockwell Automation

An advisory from Rockwell Automation is available for customers only. An undisclosed number of products from this company is affected by the entire Ripple20 vulnerability set.

Schneider Electric

Dozens of products from Schneider Electric are impacted by all 19 Ripple20 vulnerabilities. The vendor published a list, updated on June 24, with dozens of devices that are vulnerable.

The advisory from Schneider Electric also recommends mitigations to limit the risk of exploitation. An up-to-date version of the document can be downloaded from the company’s security notification for Ripple20.

Dozens of products from Schneider Electric are impacted by all 19 Ripple20 vulnerabilities. The vendor published a list, updated on June 24, with dozens of devices that are vulnerable.

The advisory from Schneider Electric also recommends mitigations to limit the risk of exploitation. An up-to-date version of the document can be downloaded from the company’s security notification for Ripple20.

Teradici

Teradici software firm acknowledged that Ripple20 issues exist in versions of Tera2 Zero Client firmware 20.01.1 and prior as well as Tera2 Remote Workstation Card 20.01.1 and prior.

The developer has released new firmware versions to fix the bugs, the company announced in an advisory from June 17.

Treck

Treck is at the center of the ripple. The company has updated its library to include the necessary fixes and if Treck library was not licensed directly from the company the suggestion for owners of vulnerable products is to contact the manufacturer or seller to receive the patches.

Treck has notified its customers and provided this vulnerability response statement. Inquiries on Treck releases containing fixes or patches for all the reported issues should be addressed at this email contact.

Xerox

In a short security bulletin on June 16, Xerox confirmed that some of its devices are impacted by Ripple20 and provided new firmware versions for three of its printers:

  • Xerox B205
  • Xerox B210
  • Xerox B215

Zuken Elmic

The company distributes Treck’s TCP/IP stack under the name KASAGO. This means that any product running this library is vulnerable to Ripple20.

A workaround has been provided in the advisory to keep affected products safe until a patch can be applied.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.