| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 09902230 | XKM3000 L MED | <= 1.9.x |
| 10440980 | XKM3000 L MED | <= 1.9.x |
For process data documentation purposes the laboratory washers, thermal disinfectors and washer-disinfectors can be integrated in a TCP/IP network by utilizing the affected communication module.
The communication module is separate from the actual device control and uses a chipset from Digi International.
The TCP / IP stack required for networking is implemented in this chipset with the help of a 3rd party library from Treck. External security researchers have identified several security holes in this library called Ripple20. The most critical vulnerability allows an external attacker to execute arbitrary code on the chip and thus also on the communication module.
The above named communication module can be integrated into the following laboratory washers, thermal disinfectors and washer- disinfectors:
The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.
The communication modules intended functionality (process documentation) cannot be guaranteed after a successful attack – authenticity availability and integrity of the data are at risk.
The security issue has no impact on the devices safety and cleaning and disinfection results of the laboratory washers, thermal disinfectors and washer-disinfectors.
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
Temporary Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Miele reported this vulnerability to CERT@VDE