The dust is far from settled following the disclosure of the 19 vulnerabilities in the TCP/IP stack from Treck, collectively referred to as Ripple20, which could help attackers take full control of vulnerable devices on the network.
Treck’s code is fundamental for the embedded devices it is implemented on because it bestows network communication to them and is present on gadgets used in a variety of sectors: technology, medical, construction, mining, printing, energy, software, industrial control systems (ICS), telecom, retail, commerce.
The company has notified its customers and issued patches but a week after the Ripple20 announcement from security research group JSOF, the full impact remains unclear.
This is because Treck’s code is licensed and distributed under different names or serves as a foundation for a new network stack.
Concerted efforts from national-level cybersecurity agencies and private companies in the field are ongoing to identify businesses with products vulnerable to issues in the Ripple20 vulnerability set.
What is clear at the moment, though, is that the healthcare industry is particularly affected and should be on high alert.
Elad Luz, head of research at CyberMDX, a company focused on security in medical devices and involved in identifying vulnerable products, told BleepingComputer that initial investigation placed healthcare industry’s exposure at more than seven times than that of manufacturing.
Forescout is also involved in the effort and published on the day of the disclosure that there were six times more vulnerable healthcare-related equipment than in the retail sector. The data represents devices in Forescout Device Cloud that matched Treck signatures.
The most common types of equipment identified by Forescout to run Treck code are infusion pumps, printers, UPS (uninterruptible power supply) systems, networking equipment, point-of-sale devices, IP cameras, video conferencing systems, building automation devices, and ICS devices.
CyberMDX’s investigation found that most radiology devices, glucometers, and lab devices were unaffected. Things are different with infusion pumps, though, which the company found to be "disproportionately affected."
“Together with our collaborators at JSOF and other organizations, we've been able to confirm, for example, that Baxter infusion pumps in the Sigma series are indeed vulnerable as well as some Braun infusion pumps” - CyberMDX
Below you will find a list with companies that have confirmed that their products are vulnerable to at least one vulnerability in the Ripple20 suite.
If you are a vendor with an advisory or notice, please contact us to have your information added.
Aruba Networks
A preliminary advisory based on an initial investigation is available from Aruba Networks (HPE subsidiary), listing L2/L3 switches produced under the Aruba or HP ProCurve brand names.
“These switches run the ArubaOS-Switch software or its previous name, HP ProVision Operating System. Any switches running ArubaOS-CX or Comware are not affected.”
The full advisory from Aruba Networks containing the switch series affected is available here.
Baxter US
Fortune 500 healthcare company Baxter announced that some of its Spectrum Infusion System’s Wireless Battery Modules are impacted by Ripple20 because they run Digi Net+OS with Treck’s TCP/IP stack:
The security bulletin from Baxter US can be found here.
B. Braun
The medical and pharmaceutical device company notified that vulnerable Treck code is present in its Outlook 400ES Safety Infusion Pump System and no other products are affected by the Ripple20 set of issues.
“To date, B. Braun has received 24 patches from Treck to resolve vulnerabilities in the software. We have analyzed the patches and determined that 20 of them are not applicable to the Outlook 400 ES platform (the product is not susceptible to these vulnerabilities). The four remaining patches continue to be analyzed to determine the scope, severity, and impact of each vulnerability” - B. Braun Ripple20 advisory
Beck/HMS Industrial Networks AB
Older products from the company run vulnerable components but most HMS products do not use Treck’s software library.
The company provides a list of products that are not vulnerable and will update it as more products are discovered to be safe from Ripple20. You can read the advisory here.
CareStream
CareStream announced that several of its products may be impacted by Ripple20, promising an updated list on June 26 as other their investigation continues.
It’s worth noting that both the U.S. CERT Coordination Center at Carnegie Mellon on June 23 lists CareStream equipment as being vulnerable to all Ripple20 vulnerabilities.
You can download CareStream’s advisory from the company’s vulnerability assessment page.
Caterpillar
There is no statement from this company about which of its products are affected but an undisclosed number is vulnerable to Ripple20.
“If you are a customer and would like more information about available remediations, please contact your Cat dealer or global account manager” the company advises.
Cisco
The following routing and switching gear from Cisco is vulnerable to all security flaws disclosed in the Ripple20 advisory from JSOF.
| Product | Cisco Bug ID | Fixed Release Availability |
|---|---|---|
| Cisco ASR 5000 Series Routers | CSCvu68945 | |
| Cisco GGSN Gateway GPRS Support Node | CSCvu68945 | |
| Cisco IP Services Gateway (IPSG) | CSCvu68945 | |
| Cisco MME Mobility Management Entity | CSCvu68945 | |
| Cisco PDSN/HA Packet Data Serving Node and Home Agent | CSCvu68945 | |
| Cisco PGW Packet Data Network Gateway | CSCvu68945 | |
| Cisco System Architecture Evolution Gateway (SAEGW) | CSCvu68945 |
The company is currently investigating its product line to determine if other products are affected by the flaws and will update the advisory with new information.
Digi International
The company found that any embedded device using the NET+OS 7.X software development platform along with the products below are affected by Ripple20:
New firmware versions are available for the products since late April and customers are strongly recommended to install them, the company advises in its security notice.
Green Hills Software
This developer of real-time operating systems (RTOS) and programming tools for embedded devices provides the GHnet v2 network stack, which is based on Treck’s TCP/IP stack.
The code is present in the INTEGRITY RTOS but because it enforces isolation between the kernel and the applications, the impact of Ripple20 is not severe.
The notification from Green Hills Software is posted here: https://support.ghs.com/psirt/PSA-2020-05/
HCL Technologies
An undisclosed number of products from this vendor are vulnerable to Ripple20 but no official statement is currently available on the company’s page for security bulletins.
Hewlett Packard Enterprise (HPE)
No advisory is available at the moment but information is expected to be released in the near future in a security bulletin from the company.
HP Inc. and Samsung
An advisory from the vendor refers to HP and Samsung printer vulnerable to Ripple20. Dozens of then are affected:
All printers have received new firmware that correct the issues; customers are strongly advised to install the updates, the security bulletin Urges.
Other issues related to the Treck TCP/IP stack in HP products have been inherited from Intel components, reads another advisory from the company.
Intel
Some versions of Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM) are vulnerable to three issues in the Ripple20 set.
An advisory from the company notes that the vulnerabilities had been assigned different tracking numbers before JSOF disclosed their findings but correspond to CVE-2020-11899, CVE-2020-11900, and CVE-2020-11905.
MaxLinear
CyberMDX lists MaxLinear chip maker among the vendors with products affected by Ripple20. The company has not published any statement or advisory naming the impacted devices.
Rockwell Automation
An advisory from Rockwell Automation is available for customers only. An undisclosed number of products from this company is affected by the entire Ripple20 vulnerability set.
Schneider Electric
Dozens of products from Schneider Electric are impacted by all 19 Ripple20 vulnerabilities. The vendor published a list, updated on June 24, with dozens of devices that are vulnerable.
The advisory from Schneider Electric also recommends mitigations to limit the risk of exploitation. An up-to-date version of the document can be downloaded from the company’s security notification for Ripple20.
Dozens of products from Schneider Electric are impacted by all 19 Ripple20 vulnerabilities. The vendor published a list, updated on June 24, with dozens of devices that are vulnerable.
The advisory from Schneider Electric also recommends mitigations to limit the risk of exploitation. An up-to-date version of the document can be downloaded from the company’s security notification for Ripple20.
Teradici
Teradici software firm acknowledged that Ripple20 issues exist in versions of Tera2 Zero Client firmware 20.01.1 and prior as well as Tera2 Remote Workstation Card 20.01.1 and prior.
The developer has released new firmware versions to fix the bugs, the company announced in an advisory from June 17.
Treck
Treck is at the center of the ripple. The company has updated its library to include the necessary fixes and if Treck library was not licensed directly from the company the suggestion for owners of vulnerable products is to contact the manufacturer or seller to receive the patches.
Treck has notified its customers and provided this vulnerability response statement. Inquiries on Treck releases containing fixes or patches for all the reported issues should be addressed at this email contact.
Xerox
In a short security bulletin on June 16, Xerox confirmed that some of its devices are impacted by Ripple20 and provided new firmware versions for three of its printers:
Zuken Elmic
The company distributes Treck’s TCP/IP stack under the name KASAGO. This means that any product running this library is vulnerable to Ripple20.
A workaround has been provided in the advisory to keep affected products safe until a patch can be applied.
Update [June 25, 13:00 EDT]: Rephrased small parts of the text for clarity. Removed Sandia National Laboratories, which was incorrectly referenced in a list of vendors with products affected by Ripple20.
Read the original article and additional information at Cyware Social