MIELE: Treck TCP/IP Vulnerabilities (Ripple20) affecting Communication Module XKM3000 L MED

VDE-2020-024 (2020-07-08 09:29 UTC+0200)

Affected Vendors

Miele

Affected Products

Affected Communications-Module

XKM3000 L MED (Material-Nr.09902230, 10440980), Versions <= 1.9.x

The above named communication module can be integrated into the following laboratory washers, thermal disinfectors and washer- disinfectors:

  • PG 8581
  • PG 8582
  • PG 8583
  • PG 8583 CD
  • PG 8591
  • PG 8582 CD
  • PG 8592
  • PG 8593
  • PG 8562

Vulnerability Type

Improper Handling of Length Parameter Inconsistency (CWE-130)

Summary

For process data documentation purposes the laboratory washers, thermal disinfectors and washer-disinfectors can be integrated in a TCP/IP network by utilizing the affected communication module.

The communication module is separate from the actual device control and uses a chipset from Digi International.

The TCP / IP stack required for networking is implemented in this chipset with the help of a 3rd party library from Treck. External security researchers have identified several security holes in this library called Ripple20. The most critical vulnerability allows an external attacker to execute arbitrary code on the chip and thus also on the communication module.

Impact

The most critical security issue is described here. All other issues are listed above in the CVE list or here.

Vulnerability ID CVE-2020-11896
Type CWE-130: Improper Handling of Length Parameter Inconsistency
Vulnerability / Issues Improper handling of length parameter within the IPv4/UDP component processing a package send by an unauthorized attacker.
An attacker might execute arbitrary code on the communication module.
CVSS Score 10.0 (Critical)
CVSS v3 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The communication modules intended functionality (process documentation) cannot be guaranteed after a successful attack – authenticity availability and integrity of the data are at risk.

The security issue has no impact on the devices safety and cleaning and disinfection results of the laboratory washers, thermal disinfectors and washer-disinfectors.

Solution

A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.

Temporary Mitigation

The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.

Reported by

JSOF research lab

Miele reported this vulnerability to CERT@VDE