BlueTeam CheatSheet * Ripple20 * | Last updated: 2020-06-26 2121 UTC

20200618-TLP-WHITE_Ripple20.md

Ripple20, set of vulnerabilities inside Treck / KASAGO IP Stacks

General

• Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
• These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market. -These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
• But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
• Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
• My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
• This will not be an easy set of vulnerabilities to patch, sadly.

CVE list

JSOF

• CVE-2020-11896
• CVE-2020-11897
• CVE-2020-11898
• CVE-2020-11899
• CVE-2020-11900
• CVE-2020-11901
• CVE-2020-11902
• CVE-2020-11903
• CVE-2020-11904
• CVE-2020-11905
• CVE-2020-11906
• CVE-2020-11907
• CVE-2020-11908
• CVE-2020-11909
• CVE-2020-11910
• CVE-2020-11911
• CVE-2020-11912
• CVE-2020-11913
• CVE-2020-11914

Intel

• CVE-2020-0594 & CVE-2020-0597 correspond to CVE-2020-11899
• CVE-2020-0595 correspond to CVE-2020-11900
• CVE-2020-8674 correspond to CVE-2020-11905

References

JSOF

• JSOF Website
• Ripple20

Stack vendors

• TRECK
• Elmic / KASAGO

CERT/CC VU#257161

• CERT/CC

Patches

• Patches available, depending vendor!

Mitigation

• Some mitigations are available CERT/CC GitHub MTG

Detection

• Rules available CERT/CC GitHub RLS

Vendors list

Confirmed

Aruba Networks

• https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-006.txt

B|Braun USA

• https://www.bbraunusa.com/en/products-and-therapies/customer-communications.html
• https://www.bbraunusa.com/content/dam/b-braun/us/website/customer_communications/Skyline%20Response_Outlook_6.9.2020_FINAL1.pdf

Baxter U.S.:

• https://www.baxter.com/sites/g/files/ebysai746/files/2020-06/BulletinSpectrumDigiTreck%20%28003%29.pdf

Boston Scientific / Guidant Medical

• https://www.bostonscientific.com/content/dam/bostonscientific/corporate/product-security/BSC-Statement-on-Ripple20-Treck-Vulnerability-Rev1-25Jun2020.pdf
• https://www.bostonscientific.com/en-US/customer-service/product-security/product-security-information.html
• Affected but not exploitable.

CARESTREAM

• https://www.carestream.com/en/us/services-and-support/cybersecurity-and-privacy
• https://www.carestream.com/en/us/-/media/publicsite/resources/service-and-support-publications/product-security-advisory---ripple20.pdf?sc_lang=en

CATERPILLAR

• https://www.cat.com/en_US/support/technology/connected-solutions-principles/security/caterpillar-cybersecurity-advisory.html

Cisco

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-treck-ip-stack-JyBQ5GyC

Dell / EMC

• https://www.dell.com/support/article/fr-fr/sln321835/dsa-2020-150-dell-client-platform-security-update-for-treck-tcp-ip-stack-vulnerabilities-in-teradici-firmware-and-remote-workstation-cards?lang=en
• https://www.dell.com/support/article/fr-fr/sln321727/dsa-2020-143-dell-client-platform-security-update-for-intel-platform-updates-2020-1?lang=en
• https://www.dell.com/support/article/fr-fr/sln321836/dell-response-to-the-ripple20-vulnerabilities?lang=en

EATON

• https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-security-bulletin-treck-tcp-ip-stack-vulnerabilities-ripple20.pdf

DIGI:

• https://www.digi.com/support/knowledge-base/digi-international-security-notice-treck-tcp-ip-st

Elmic / KASAGO

• https://www.elwsc.co.jp/news/4136/
• https://www.elwsc.co.jp/wp-content/uploads/2020/06/KASAGO202006-1.pdf

Green Hills Software

• https://support.ghs.com/psirt/PSA-2020-05/

HCL Tech

HP:

• https://support.hp.com/us-en/document/c06640149
• https://support.hp.com/us-en/document/c06655639

HPE

• https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf03999en_us
• Not sure about this one, the CVE they mentioned aren't recognized in JSOF publication (CVE-2020-0545 & CVE-2020-0586)

INTEL:

• https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html

KASAGO

• https://www.elwsc.co.jp/news/4136/

Maxlinear (Through HLFN)

McAfee

• Saying vulnerable but not exploitable
• https://kc.mcafee.com/corporate/index?page=content&id=SB10321
• https://kc.mcafee.com/corporate/index?page=content&id=KB93020
• Not sure about this one, the CVE they mentioned aren't recognized in JSOF publication (CVE-2020-0545 & CVE-2020-0586)

NetApp

• https://security.netapp.com/advisory/ntap-20200625-0006/

ROCKWELL AUTOMATION

• https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1126896

Schneider:

• https://www.se.com/ww/en/download/document/SESB-2020-168-01/

Teradici

• https://advisory.teradici.com/security-advisories/56/

Treck:

• https://treck.com/vulnerability-response-information/

Xerox:

• https://security.business.xerox.com/wp-content/uploads/2020/06/cert_Security_Mini_Bulletin_XRX20J_for_B2XX.pdf

Pending

Agilent

Airlinq (Through Netsnapper Technologies SARL)

Arburg

Audiocodes

BAE Systems

BD

BECK (Now HMS Industrial Networks AB, since July 17, 2018)

• https://www.hms-networks.com/cybersecurity
• https://cdn.hms-networks.com/docs/librariesprovider6/cybersecurity/hms-security-advisory-2020-06-23-001---hms-ripple20-info.pdf?sfvrsn=81d236d7_4
• They outted some products but still assessing !

Broadcom

Capsule (Through Digi)

DASAN Zhone (Through vpacket)

• Behind subscription wall, status unknown

Datamax Corporation

Enghouse (Through tollgrade communications)

Extreme Networks

Foundry

• Behind subscription wall, status unknown

Fraunhofer IZFP

Gainspan (telit)

GE general electric (Through Quadros)

Green Hills Software

Hitachi Europe

Hlfn

Honeywell

Itron

Kadak (Ceased activity in January 29, 2016)

• http://www.kadak.com/index.htm

L-3 Chesapeake Sciences Corporation

Lockheed Martin

Marvell

Maxim Integrated Products

Memjet

MTS Technologies SARL

NASA

Netafim

Netsnapper Technologies SARL

Philips

Quadros

Qualstar.com

Red lion controls

Redcom

SAIC

ScriptPro

Semtech

Sigma designs

SimCom Wireless

Starent Networks (Acquiredby Cisco)

Synamedia (Through Cisco) / NDSUK

Syncroness

Texas Instruments-Berlin

Thinkcom / ThinKom

Tollgrade Communications

Ultra Electronics Flightline Systems

Verifone

Vicom

Videotek

Vocera

Vpacket (Now DASAN Zhone)

Weibel weibel.dk

Western geco

Xilinx

Zodiac Aerospace

Not vulnerable

Abbott (Through Guidant Healthcare)

Afero

AMD

Blackberry

GE Healthcare

Laird

LANCOM Systems GmBH

MEDTRONIC

• https://global.medtronic.com/xg-en/product-security/security-bulletins/ripple20-vulnerabilities.html

NVIDIA (Through portalplayer)

• https://nvidia.custhelp.com/app/answers/detail/a_id/5033

Phillips Electronics

Portalplayer

• https://nvidia.custhelp.com/app/answers/detail/a_id/5033

Sandia National Labs

Sierra Wireless

Synology

• https://www.synology.com/en-uk/security/advisory/Synology_SA_20_15

Systech

Technicolor

Texas Instruments

Wind River

Zebra Technologies

Zyxel

Errors, typos, something to say ?

• Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

HPE's Aruba just released a statement - vulnerable to 8 of the 19 vulnerabilities
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-006.txt

HPE's Aruba just released a statement - vulnerable to 8 of the 19 vulnerabilities
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-006.txt

• Added

Thanks !