Ripple20, set of vulnerabilities inside Treck / KASAGO IP Stacks
General
- Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
- These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market. -These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
- But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
- Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
- My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
- This will not be an easy set of vulnerabilities to patch, sadly.
CVE list
JSOF
- CVE-2020-11896
- CVE-2020-11897
- CVE-2020-11898
- CVE-2020-11899
- CVE-2020-11900
- CVE-2020-11901
- CVE-2020-11902
- CVE-2020-11903
- CVE-2020-11904
- CVE-2020-11905
- CVE-2020-11906
- CVE-2020-11907
- CVE-2020-11908
- CVE-2020-11909
- CVE-2020-11910
- CVE-2020-11911
- CVE-2020-11912
- CVE-2020-11913
- CVE-2020-11914
Intel
- CVE-2020-0594 & CVE-2020-0597 correspond to CVE-2020-11899
- CVE-2020-0595 correspond to CVE-2020-11900
- CVE-2020-8674 correspond to CVE-2020-11905
References
JSOF
Stack vendors
CERT/CC VU#257161
Patches
- Patches available, depending vendor!
Mitigation
- Some mitigations are available CERT/CC GitHub MTG
Detection
- Rules available CERT/CC GitHub RLS
Vendors list
Confirmed
Aruba Networks
B|Braun USA
- https://www.bbraunusa.com/en/products-and-therapies/customer-communications.html
- https://www.bbraunusa.com/content/dam/b-braun/us/website/customer_communications/Skyline%20Response_Outlook_6.9.2020_FINAL1.pdf
Baxter U.S.:
Boston Scientific / Guidant Medical
- https://www.bostonscientific.com/content/dam/bostonscientific/corporate/product-security/BSC-Statement-on-Ripple20-Treck-Vulnerability-Rev1-25Jun2020.pdf
- https://www.bostonscientific.com/en-US/customer-service/product-security/product-security-information.html
- Affected but not exploitable.
CARESTREAM
- https://www.carestream.com/en/us/services-and-support/cybersecurity-and-privacy
- https://www.carestream.com/en/us/-/media/publicsite/resources/service-and-support-publications/product-security-advisory---ripple20.pdf?sc_lang=en
CATERPILLAR
Cisco
Dell / EMC
- https://www.dell.com/support/article/fr-fr/sln321835/dsa-2020-150-dell-client-platform-security-update-for-treck-tcp-ip-stack-vulnerabilities-in-teradici-firmware-and-remote-workstation-cards?lang=en
- https://www.dell.com/support/article/fr-fr/sln321727/dsa-2020-143-dell-client-platform-security-update-for-intel-platform-updates-2020-1?lang=en
- https://www.dell.com/support/article/fr-fr/sln321836/dell-response-to-the-ripple20-vulnerabilities?lang=en
EATON
DIGI:
Elmic / KASAGO
- https://www.elwsc.co.jp/news/4136/
- https://www.elwsc.co.jp/wp-content/uploads/2020/06/KASAGO202006-1.pdf
Green Hills Software
HCL Tech
HP:
HPE
- https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf03999en_us
- Not sure about this one, the CVE they mentioned aren't recognized in JSOF publication (CVE-2020-0545 & CVE-2020-0586)
INTEL:
KASAGO
Maxlinear (Through HLFN)
McAfee
- Saying vulnerable but not exploitable
- https://kc.mcafee.com/corporate/index?page=content&id=SB10321
- https://kc.mcafee.com/corporate/index?page=content&id=KB93020
- Not sure about this one, the CVE they mentioned aren't recognized in JSOF publication (CVE-2020-0545 & CVE-2020-0586)
NetApp
ROCKWELL AUTOMATION
Schneider:
Teradici
Treck:
Xerox:
Pending
Agilent
Airlinq (Through Netsnapper Technologies SARL)
Arburg
Audiocodes
BAE Systems
BD
BECK (Now HMS Industrial Networks AB, since July 17, 2018)
- https://www.hms-networks.com/cybersecurity
- https://cdn.hms-networks.com/docs/librariesprovider6/cybersecurity/hms-security-advisory-2020-06-23-001---hms-ripple20-info.pdf?sfvrsn=81d236d7_4
- They outted some products but still assessing !
Broadcom
Capsule (Through Digi)
DASAN Zhone (Through vpacket)
- Behind subscription wall, status unknown
Datamax Corporation
Enghouse (Through tollgrade communications)
Extreme Networks
Foundry
- Behind subscription wall, status unknown
Fraunhofer IZFP
Gainspan (telit)
GE general electric (Through Quadros)
Green Hills Software
Hitachi Europe
Hlfn
Honeywell
Itron
Kadak (Ceased activity in January 29, 2016)
L-3 Chesapeake Sciences Corporation
Lockheed Martin
Marvell
Maxim Integrated Products
Memjet
MTS Technologies SARL
NASA
Netafim
Netsnapper Technologies SARL
Philips
Quadros
Qualstar.com
Red lion controls
Redcom
SAIC
ScriptPro
Semtech
Sigma designs
SimCom Wireless
Starent Networks (Acquiredby Cisco)
Synamedia (Through Cisco) / NDSUK
Syncroness
Texas Instruments-Berlin
Thinkcom / ThinKom
Tollgrade Communications
Ultra Electronics Flightline Systems
Verifone
Vicom
Videotek
Vocera
Vpacket (Now DASAN Zhone)
Weibel weibel.dk
Western geco
Xilinx
Zodiac Aerospace
Not vulnerable
Abbott (Through Guidant Healthcare)
Afero
AMD
Blackberry
GE Healthcare
Laird
LANCOM Systems GmBH
MEDTRONIC
- https://global.medtronic.com/xg-en/product-security/security-bulletins/ripple20-vulnerabilities.html
NVIDIA (Through portalplayer)
Phillips Electronics
Portalplayer
Sandia National Labs
Sierra Wireless
Synology
Systech
Technicolor
Texas Instruments
Wind River
Zebra Technologies
Zyxel
Errors, typos, something to say ?
- Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak
HPE's Aruba just released a statement - vulnerable to 8 of the 19 vulnerabilities
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-006.txt