Summary
For process data documentation purposes the laboratory washers, thermal disinfectors and washer-disinfectors can be integrated in a TCP/IP network by utilizing the affected communication module.
The communication module is separate from the actual device control and uses a chipset from Digi International.
The TCP / IP stack required for networking is implemented in this chipset with the help of a 3rd party library from Treck. External security researchers have identified several security holes in this library called Ripple20. The most critical vulnerability allows an external attacker to execute arbitrary code on the chip and thus also on the communication module.
The above named communication module can be integrated into the following laboratory washers, thermal disinfectors and washer- disinfectors:
- PG 8581
- PG 8582
- PG 8583
- PG 8583 CD
- PG 8591
- PG 8582 CD
- PG 8592
- PG 8593
- PG 8562
Impact
The communication modules intended functionality (process documentation) cannot be guaranteed after a successful attack – authenticity availability and integrity of the data are at risk.
The security issue has no impact on the devices safety and cleaning and disinfection results of the laboratory washers, thermal disinfectors and washer-disinfectors.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 10440980, 09902230 | Hardware XKM3000 L MED | Firmware <=1.9.x |
Vulnerabilities
Expand / Collapse allThe Treck TCP/IP stack before 5.0.1.35 has an Out-of-Bounds Write via multiple malformed IPv6 packets.
The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.
The Treck TCP/IP stack before 6.0.1.66 improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which might allow remote attackers to trigger an information leak.
The Treck TCP/IP stack before 6.0.1.66 allows Remote Code execution via a single invalid DNS response.
The Treck TCP/IP stack before 6.0.1.41 has an IPv4 tunneling Double Free.
The Treck TCP/IP stack before 6.0.1.66 has an Integer Overflow during Memory Allocation that causes an Out-of-Bounds Write.
The Treck TCP/IP stack before 6.0.1.66 has an IPv6OverIPv4 tunneling Out-of-bounds Read.
The Treck TCP/IP stack before 6.0.1.28 has a DHCP Out-of-bounds Read.
The Treck TCP/IP stack before 6.0.1.66 has a DHCPv6 Out-of-bounds Read.
The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.
The Treck TCP/IP stack before 6.0.1.66 has an Ethernet Link Layer Integer Underflow.
The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.
The Treck TCP/IP stack before 6.0.1.66 has Improper ICMPv4 Access Control.
The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.
The Treck TCP/IP stack before 6.0.1.66 has a TCP Out-of-bounds Read.
The Treck TCP/IP stack before 6.0.1.66 has an IPv4 Integer Underflow.
The Treck TCP/IP stack before 6.0.1.66 has an ICMPv4 Out-of-bounds Read.
The Treck TCP/IP stack before 6.0.1.66 has an ARP Out-of-bounds Read.
The Treck TCP/IP stack before 4.7.1.27 mishandles '\0' termination in DHCP.
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Remediation
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 08.07.2020 09:29 | Initial revision. |
| 2 | 14.05.2025 14:28 | Fix: version space |