Skip to content

Instantly share code, notes, and snippets.

@SwitHak
Last active April 26, 2023 22:04
Show Gist options
  • Save SwitHak/5f20872748843a8ad697a75c658278fe to your computer and use it in GitHub Desktop.
Save SwitHak/5f20872748843a8ad697a75c658278fe to your computer and use it in GitHub Desktop.
BlueTeam CheatSheet * Ripple20 * | Last updated: 2020-06-26 2121 UTC

Ripple20, set of vulnerabilities inside Treck / KASAGO IP Stacks

General

  • Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
  • These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market. -These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
  • But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
  • Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
  • My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
  • This will not be an easy set of vulnerabilities to patch, sadly.

CVE list

JSOF

  • CVE-2020-11896
  • CVE-2020-11897
  • CVE-2020-11898
  • CVE-2020-11899
  • CVE-2020-11900
  • CVE-2020-11901
  • CVE-2020-11902
  • CVE-2020-11903
  • CVE-2020-11904
  • CVE-2020-11905
  • CVE-2020-11906
  • CVE-2020-11907
  • CVE-2020-11908
  • CVE-2020-11909
  • CVE-2020-11910
  • CVE-2020-11911
  • CVE-2020-11912
  • CVE-2020-11913
  • CVE-2020-11914

Intel

  • CVE-2020-0594 & CVE-2020-0597 correspond to CVE-2020-11899
  • CVE-2020-0595 correspond to CVE-2020-11900
  • CVE-2020-8674 correspond to CVE-2020-11905

References

JSOF

Stack vendors

CERT/CC VU#257161

Patches

  • Patches available, depending vendor!

Mitigation

Detection

Vendors list

Confirmed

Aruba Networks

B|Braun USA

Baxter U.S.:

Boston Scientific / Guidant Medical

CARESTREAM

CATERPILLAR

Cisco

Dell / EMC

EATON

DIGI:

Elmic / KASAGO

Green Hills Software

HCL Tech

HP:

HPE

INTEL:

KASAGO

Maxlinear (Through HLFN)

McAfee

NetApp

ROCKWELL AUTOMATION

Schneider:

Teradici

Treck:

Xerox:

Pending

Agilent

Airlinq (Through Netsnapper Technologies SARL)

Arburg

Audiocodes

BAE Systems

BD

BECK (Now HMS Industrial Networks AB, since July 17, 2018)

Broadcom

Capsule (Through Digi)

DASAN Zhone (Through vpacket)

  • Behind subscription wall, status unknown

Datamax Corporation

Enghouse (Through tollgrade communications)

Extreme Networks

Foundry

  • Behind subscription wall, status unknown

Fraunhofer IZFP

Gainspan (telit)

GE general electric (Through Quadros)

Green Hills Software

Hitachi Europe

Hlfn

Honeywell

Itron

Kadak (Ceased activity in January 29, 2016)

L-3 Chesapeake Sciences Corporation

Lockheed Martin

Marvell

Maxim Integrated Products

Memjet

MTS Technologies SARL

NASA

Netafim

Netsnapper Technologies SARL

Philips

Quadros

Qualstar.com

Red lion controls

Redcom

SAIC

ScriptPro

Semtech

Sigma designs

SimCom Wireless

Starent Networks (Acquiredby Cisco)

Synamedia (Through Cisco) / NDSUK

Syncroness

Texas Instruments-Berlin

Thinkcom / ThinKom

Tollgrade Communications

Ultra Electronics Flightline Systems

Verifone

Vicom

Videotek

Vocera

Vpacket (Now DASAN Zhone)

Weibel weibel.dk

Western geco

Xilinx

Zodiac Aerospace

Not vulnerable

Abbott (Through Guidant Healthcare)

Afero

AMD

Blackberry

GE Healthcare

Laird

LANCOM Systems GmBH

MEDTRONIC

NVIDIA (Through portalplayer)

Phillips Electronics

Portalplayer

Sandia National Labs

Sierra Wireless

Synology

Systech

Technicolor

Texas Instruments

Wind River

Zebra Technologies

Zyxel

Errors, typos, something to say ?

  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak
@sei-vsarvepalli
Copy link

HPE's Aruba just released a statement - vulnerable to 8 of the 19 vulnerabilities
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-006.txt

@SwitHak
Copy link
Author

SwitHak commented Jun 23, 2020

HPE's Aruba just released a statement - vulnerable to 8 of the 19 vulnerabilities
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-006.txt

  • Added

Thanks !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment