Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Ripple20: More Vulnerable Devices Discovered, Including New Vendors

A partnership between Tenable and JSOF continues to uncover additional devices vulnerable to Ripple20.

Update September 9, 2020: The Affected Vendors section has been updated based on feedback from vendors.

Background

On June 16, researchers from JSOF research lab disclosed a set of 19 vulnerabilities, dubbed “Ripple20”, which could impact millions of operational technology (OT), Internet of Things (IoT), and IT devices. The vulnerabilities exist within an embedded TCP/IP software library developed by Treck Inc., a developer of embedded internet protocols. The Tenable Security Response Team first wrote a blog post about the Ripple20 vulnerabilities on the day of its disclosure, which evoked memories of URGENT/11, a group of eleven vulnerabilities in the real-time operating system VxWorks, that were disclosed in 2019.

A Complex Supply Chain

Treck’s TCP/IP library has been widely adopted by numerous device vendors that have reused and repurposed it for more than two decades. This includes a split-off library known as Kasago, now managed by Elmic Systems as well as many rebranded names for the library such as QuadNet, GHNet V2, Net+ OS, KwikNet and others. This has resulted in a very complex supply chain problem. JSOF worked closely with multiple vendors and agencies including the CERT Coordination Center (CERT/CC) and the Cybersecurity and Infrastructure Security Agency (CISA) to help track down and notify vendors about these vulnerabilities. With potentially hundreds of vendors affected, identification and notification was naturally going to be a challenge. Adding to this complexity is the fact that each device may have divergent code due to unique implementation necessary for their specific use case and a multitude of configurable compilation options, which could alter how the device might respond to specific network requests. Because of this, each potentially vulnerable device requires a different method to confirm exploitability.

More Vulnerable Devices Identified by Tenable

When the Ripple20 advisory was published, Tenable Research contacted JSOF to collaborate on the discovery of affected devices. During the initial disclosure, several vendors had been notified, and many were evaluating their product lines to determine if any devices they offered were affected. Because of the myriad ways in which vendors likely repurposed the Treck library, identification, correction, and patch availability will require an extensive amount of time. In some cases, device vendors may no longer be in business, meaning those affected devices will not receive patches or support.

With guidance from JSOF on various detection methods, the Tenable Research team was able to help identify 34 additional vendors and 47 additional devices that were potentially affected. The findings were reported to JSOF who continues to work with CERT/CC on the disclosure process with the affected vendors.

Affected Vendors

Tenable has adopted multiple vendor-agnostic approaches to detecting the Treck stack while trying to ensure the detection methods used are not destructive to the assets being scanned. Using multiple approaches for detection, helps enhance Tenable's ability to provide coverage for the diverse Treck libraries used by various devices. The vendors in the following list have been contacted by JSOF or CERT/CC, in cooperation with other CERT entities including CERT-IL. In some cases, the products below may still be under evaluation to determine if they may be affected. It’s important to note that this is not an exhaustive list and we anticipate uncovering additional devices that may be affected, which we will determine as our testing efforts continue.

Vendor Product Advisory
AudioCodes SIP Device https://www.audiocodes.com/media/13240/sip-cpe-release-notes-ver-66.pdf
https://www.audiocodes.com/media/13261/sip-gateways-sbcs-release-notes-ver-70.pdf
Avaya IP Phone https://support.avaya.com/public/index?page=content&id=SOLN353492&viewlocale=en_US
Cisco ASA 5500 IP Telephone SF Series https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-treck-ip-stack-JyBQ5GyC
Dell** iDRAC Controller PowerEdge Blade Chassis
Confirmed not vulnerable by Dell, see link for additional product details
https://www.dell.com/support/article/en-us/sln321836/dell-response-to-the-ripple20-vulnerabilities?lang=en
GE Interlogix TVF-3102 https://www.gehealthcare.com/security
Hewlett Packard (HP) LaserJet Printer OfficeJet Pro Printer https://support.hp.com/us-en/document/c06640149
Hewlett Packard Enterprise (HPE) 3PAR Integrated Lights Out https://techhub.hpe.com/eginfolib/securityalerts/Ripple20/Ripple20.html
IBM Corporation* WebSphere DataPower https://www.ibm.com/support/pages/ibm-storage-devices-are-not-exposed-ripple20-vulnerabilities
Motorola/Verizon QIP Set-Top Terminal N/A
Oracle Oracle Integrated Lights Out Manager N/A
Ricoh Printer https://www.ricoh-usa.com/en/support-and-download/alerts/alerts-security-vulnerability-announcements
Schneider APC AP9619 UPS Network Management Card APC AP9631 UPS Network Management Card APC AP9631 UPS Network Management Card https://www.se.com/ww/en/download/document/SEVD-2020-175-01/

* Note: At the time this blog was published, IBM has not confirmed if WebSphere DataPower is affected, but has provided a list of storage devices not affected by Ripple20.

** Note: After a thorough analysis, Dell has confirmed to Tenable that iDRAC is not vulnerable to Ripple20.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here and will be updated as additional plugins are released. Additionally, several plugins to identify the Treck and Kasago Network stacks have been released and can be found here.

Tenable.ot customers should contact their CSM to get access to Suricata rules that can be used for detection. These rules will be fully integrated in the next service pack of the current release and later versions.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.