Share: Email | Twitter

ID

VDE-2020-024

Published

2020-07-08 09:29 (CEST)

Last update

2020-07-08 09:29 (CEST)

Vendor(s)

Miele & Cie KG

Product(s)

Article No┬░ Product Name Affected Version(s)
09902230 XKM3000 L MED <= 1.9.x
10440980 XKM3000 L MED <= 1.9.x

Summary

For process data documentation purposes the laboratory washers, thermal disinfectors and washer-disinfectors can be integrated in a TCP/IP network by utilizing the affected communication module.

The communication module is separate from the actual device control and uses a chipset from Digi International.

The TCP / IP stack required for networking is implemented in this chipset with the help of a 3rd party library from Treck. External security researchers have identified several security holes in this library called Ripple20. The most critical vulnerability allows an external attacker to execute arbitrary code on the chip and thus also on the communication module.

The above named communication module can be integrated into the following laboratory washers, thermal disinfectors and washer- disinfectors:

  • PG 8581
  • PG 8582
  • PG 8583
  • PG 8583 CD
  • PG 8591
  • PG 8582 CD
  • PG 8592
  • PG 8593
  • PG 8562

Vulnerabilities



Weakness
Improper Input Validation (CWE-20)
Summary

The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.

Weakness
Out-of-bounds Write (CWE-787)
Summary
The Treck TCP/IP stack before 5.0.1.35 has an Out-of-Bounds Write via multiple malformed IPv6 packets.
Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary
The Treck TCP/IP stack before 6.0.1.66 improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which might allow remote attackers to trigger an information leak.
Weakness
Improper Input Validation (CWE-20)
Summary
The Treck TCP/IP stack before 6.0.1.66 allows Remote Code execution via a single invalid DNS response.
Weakness
Double Free (CWE-415)
Summary
The Treck TCP/IP stack before 6.0.1.41 has an IPv4 tunneling Double Free.
Weakness
Out-of-bounds Read (CWE-125)
Summary
The Treck TCP/IP stack before 6.0.1.66 has an IPv6OverIPv4 tunneling Out-of-bounds Read.
Weakness
Out-of-bounds Write (CWE-787)
Summary
The Treck TCP/IP stack before 6.0.1.66 has an Integer Overflow during Memory Allocation that causes an Out-of-Bounds Write.
Weakness
Out-of-bounds Read (CWE-125)
Summary
The Treck TCP/IP stack before 6.0.1.66 has a DHCPv6 Out-of-bounds Read.
Weakness
Out-of-bounds Read (CWE-125)
Summary
The Treck TCP/IP stack before 6.0.1.28 has a DHCP Out-of-bounds Read.
Weakness
Integer Underflow (Wrap or Wraparound) (CWE-191)
Summary
The Treck TCP/IP stack before 6.0.1.66 has an Ethernet Link Layer Integer Underflow.
Weakness
Summary
The Treck TCP/IP stack before 6.0.1.66 improperly handles a Length Parameter Inconsistency in TCP.
Weakness
Out-of-bounds Read (CWE-125)
Summary
The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.
Weakness
Out-of-bounds Read (CWE-125)
Summary
The Treck TCP/IP stack before 6.0.1.66 has an ICMPv4 Out-of-bounds Read.
Weakness
Integer Underflow (Wrap or Wraparound) (CWE-191)
Summary
The Treck TCP/IP stack before 6.0.1.66 has an IPv4 Integer Underflow.
Weakness
Out-of-bounds Read (CWE-125)
Summary
The Treck TCP/IP stack before 6.0.1.66 has a TCP Out-of-bounds Read.
Weakness
Out-of-bounds Read (CWE-125)
Summary
The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.
Weakness
Missing Authorization (CWE-862)
Summary
The Treck TCP/IP stack before 6.0.1.66 has Improper ICMPv4 Access Control.
Weakness
Summary
The Treck TCP/IP stack before 4.7.1.27 mishandles '\0' termination in DHCP.
Weakness
Out-of-bounds Read (CWE-125)
Summary
The Treck TCP/IP stack before 6.0.1.66 has an ARP Out-of-bounds Read.

Impact

The communication modules intended functionality (process documentation) cannot be guaranteed after a successful attack – authenticity availability and integrity of the data are at risk.

The security issue has no impact on the devices safety and cleaning and disinfection results of the laboratory washers, thermal disinfectors and washer-disinfectors.

Solution

A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.

Temporary Mitigation

The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.

Reported by

JSOF Research Lab

Miele reported this vulnerability to CERT@VDE