Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Ripple20: More Vulnerable Devices Discovered, Including New Vendors

A partnership between Tenable and JSOF continues to uncover additional devices vulnerable to Ripple20.

Update September 9, 2020: The Affected Vendors section has been updated based on feedback from vendors.

Background

On June 16, researchers from JSOF research lab disclosed a set of 19 vulnerabilities, dubbed “Ripple20”, which could impact millions of operational technology (OT), Internet of Things (IoT), and IT devices. The vulnerabilities exist within an embedded TCP/IP software library developed by Treck Inc., a developer of embedded internet protocols. The Tenable Security Response Team first wrote a blog post about the Ripple20 vulnerabilities on the day of its disclosure, which evoked memories of URGENT/11, a group of eleven vulnerabilities in the real-time operating system VxWorks, that were disclosed in 2019.

A Complex Supply Chain

Treck’s TCP/IP library has been widely adopted by numerous device vendors that have reused and repurposed it for more than two decades. This includes a split-off library known as Kasago, now managed by Elmic Systems as well as many rebranded names for the library such as QuadNet, GHNet V2, Net+ OS, KwikNet and others. This has resulted in a very complex supply chain problem. JSOF worked closely with multiple vendors and agencies including the CERT Coordination Center (CERT/CC) and the Cybersecurity and Infrastructure Security Agency (CISA) to help track down and notify vendors about these vulnerabilities. With potentially hundreds of vendors affected, identification and notification was naturally going to be a challenge. Adding to this complexity is the fact that each device may have divergent code due to unique implementation necessary for their specific use case and a multitude of configurable compilation options, which could alter how the device might respond to specific network requests. Because of this, each potentially vulnerable device requires a different method to confirm exploitability.

More Vulnerable Devices Identified by Tenable

When the Ripple20 advisory was published, Tenable Research contacted JSOF to collaborate on the discovery of affected devices. During the initial disclosure, several vendors had been notified, and many were evaluating their product lines to determine if any devices they offered were affected. Because of the myriad ways in which vendors likely repurposed the Treck library, identification, correction, and patch availability will require an extensive amount of time. In some cases, device vendors may no longer be in business, meaning those affected devices will not receive patches or support.

With guidance from JSOF on various detection methods, the Tenable Research team was able to help identify 34 additional vendors and 47 additional devices that were potentially affected. The findings were reported to JSOF who continues to work with CERT/CC on the disclosure process with the affected vendors.

Affected Vendors

Tenable has adopted multiple vendor-agnostic approaches to detecting the Treck stack while trying to ensure the detection methods used are not destructive to the assets being scanned. Using multiple approaches for detection, helps enhance Tenable's ability to provide coverage for the diverse Treck libraries used by various devices. The vendors in the following list have been contacted by JSOF or CERT/CC, in cooperation with other CERT entities including CERT-IL. In some cases, the products below may still be under evaluation to determine if they may be affected. It’s important to note that this is not an exhaustive list and we anticipate uncovering additional devices that may be affected, which we will determine as our testing efforts continue.

Vendor Product Advisory
AudioCodes SIP Device https://www.audiocodes.com/media/13240/sip-cpe-release-notes-ver-66.pdf
https://www.audiocodes.com/media/13261/sip-gateways-sbcs-release-notes-ver-70.pdf
Avaya IP Phone https://support.avaya.com/public/index?page=content&id=SOLN353492&viewlocale=en_US
Cisco ASA 5500 IP Telephone SF Series https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-treck-ip-stack-JyBQ5GyC
Dell** iDRAC Controller PowerEdge Blade Chassis
Confirmed not vulnerable by Dell, see link for additional product details
https://www.dell.com/support/article/en-us/sln321836/dell-response-to-the-ripple20-vulnerabilities?lang=en
GE Interlogix TVF-3102 https://www.gehealthcare.com/security
Hewlett Packard (HP) LaserJet Printer OfficeJet Pro Printer https://support.hp.com/us-en/document/c06640149
Hewlett Packard Enterprise (HPE) 3PAR Integrated Lights Out https://techhub.hpe.com/eginfolib/securityalerts/Ripple20/Ripple20.html
IBM Corporation* WebSphere DataPower https://www.ibm.com/support/pages/ibm-storage-devices-are-not-exposed-ripple20-vulnerabilities
Motorola/Verizon QIP Set-Top Terminal N/A
Oracle Oracle Integrated Lights Out Manager N/A
Ricoh Printer https://www.ricoh-usa.com/en/support-and-download/alerts/alerts-security-vulnerability-announcements
Schneider APC AP9619 UPS Network Management Card APC AP9631 UPS Network Management Card APC AP9631 UPS Network Management Card https://www.se.com/ww/en/download/document/SEVD-2020-175-01/

* Note: At the time this blog was published, IBM has not confirmed if WebSphere DataPower is affected, but has provided a list of storage devices not affected by Ripple20.

** Note: After a thorough analysis, Dell has confirmed to Tenable that iDRAC is not vulnerable to Ripple20.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here and will be updated as additional plugins are released. Additionally, several plugins to identify the Treck and Kasago Network stacks have been released and can be found here.

Tenable.ot customers should contact their CSM to get access to Suricata rules that can be used for detection. These rules will be fully integrated in the next service pack of the current release and later versions.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.