Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Ripple20: More Vulnerable Devices Discovered, Including New Vendors

A partnership between Tenable and JSOF continues to uncover additional devices vulnerable to Ripple20.

Update September 9, 2020: The Affected Vendors section has been updated based on feedback from vendors.

Background

On June 16, researchers from JSOF research lab disclosed a set of 19 vulnerabilities, dubbed “Ripple20”, which could impact millions of operational technology (OT), Internet of Things (IoT), and IT devices. The vulnerabilities exist within an embedded TCP/IP software library developed by Treck Inc., a developer of embedded internet protocols. The Tenable Security Response Team first wrote a blog post about the Ripple20 vulnerabilities on the day of its disclosure, which evoked memories of URGENT/11, a group of eleven vulnerabilities in the real-time operating system VxWorks, that were disclosed in 2019.

A Complex Supply Chain

Treck’s TCP/IP library has been widely adopted by numerous device vendors that have reused and repurposed it for more than two decades. This includes a split-off library known as Kasago, now managed by Elmic Systems as well as many rebranded names for the library such as QuadNet, GHNet V2, Net+ OS, KwikNet and others. This has resulted in a very complex supply chain problem. JSOF worked closely with multiple vendors and agencies including the CERT Coordination Center (CERT/CC) and the Cybersecurity and Infrastructure Security Agency (CISA) to help track down and notify vendors about these vulnerabilities. With potentially hundreds of vendors affected, identification and notification was naturally going to be a challenge. Adding to this complexity is the fact that each device may have divergent code due to unique implementation necessary for their specific use case and a multitude of configurable compilation options, which could alter how the device might respond to specific network requests. Because of this, each potentially vulnerable device requires a different method to confirm exploitability.

More Vulnerable Devices Identified by Tenable

When the Ripple20 advisory was published, Tenable Research contacted JSOF to collaborate on the discovery of affected devices. During the initial disclosure, several vendors had been notified, and many were evaluating their product lines to determine if any devices they offered were affected. Because of the myriad ways in which vendors likely repurposed the Treck library, identification, correction, and patch availability will require an extensive amount of time. In some cases, device vendors may no longer be in business, meaning those affected devices will not receive patches or support.

With guidance from JSOF on various detection methods, the Tenable Research team was able to help identify 34 additional vendors and 47 additional devices that were potentially affected. The findings were reported to JSOF who continues to work with CERT/CC on the disclosure process with the affected vendors.

Affected Vendors

Tenable has adopted multiple vendor-agnostic approaches to detecting the Treck stack while trying to ensure the detection methods used are not destructive to the assets being scanned. Using multiple approaches for detection, helps enhance Tenable's ability to provide coverage for the diverse Treck libraries used by various devices. The vendors in the following list have been contacted by JSOF or CERT/CC, in cooperation with other CERT entities including CERT-IL. In some cases, the products below may still be under evaluation to determine if they may be affected. It’s important to note that this is not an exhaustive list and we anticipate uncovering additional devices that may be affected, which we will determine as our testing efforts continue.

Vendor Product Advisory
AudioCodes SIP Device https://www.audiocodes.com/media/13240/sip-cpe-release-notes-ver-66.pdf
https://www.audiocodes.com/media/13261/sip-gateways-sbcs-release-notes-ver-70.pdf
Avaya IP Phone https://support.avaya.com/public/index?page=content&id=SOLN353492&viewlocale=en_US
Cisco ASA 5500 IP Telephone SF Series https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-treck-ip-stack-JyBQ5GyC
Dell** iDRAC Controller PowerEdge Blade Chassis
Confirmed not vulnerable by Dell, see link for additional product details
https://www.dell.com/support/article/en-us/sln321836/dell-response-to-the-ripple20-vulnerabilities?lang=en
GE Interlogix TVF-3102 https://www.gehealthcare.com/security
Hewlett Packard (HP) LaserJet Printer OfficeJet Pro Printer https://support.hp.com/us-en/document/c06640149
Hewlett Packard Enterprise (HPE) 3PAR Integrated Lights Out https://techhub.hpe.com/eginfolib/securityalerts/Ripple20/Ripple20.html
IBM Corporation* WebSphere DataPower https://www.ibm.com/support/pages/ibm-storage-devices-are-not-exposed-ripple20-vulnerabilities
Motorola/Verizon QIP Set-Top Terminal N/A
Oracle Oracle Integrated Lights Out Manager N/A
Ricoh Printer https://www.ricoh-usa.com/en/support-and-download/alerts/alerts-security-vulnerability-announcements
Schneider APC AP9619 UPS Network Management Card APC AP9631 UPS Network Management Card APC AP9631 UPS Network Management Card https://www.se.com/ww/en/download/document/SEVD-2020-175-01/

* Note: At the time this blog was published, IBM has not confirmed if WebSphere DataPower is affected, but has provided a list of storage devices not affected by Ripple20.

** Note: After a thorough analysis, Dell has confirmed to Tenable that iDRAC is not vulnerable to Ripple20.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here and will be updated as additional plugins are released. Additionally, several plugins to identify the Treck and Kasago Network stacks have been released and can be found here.

Tenable.ot customers should contact their CSM to get access to Suricata rules that can be used for detection. These rules will be fully integrated in the next service pack of the current release and later versions.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training