Vulnerability Information

CISA released an advisory (ICSA-20-353-01) on December 18, 2020 regarding four new vulnerabilities found in the Treck TCP/IP stack with a combined CVSS v3 base score of 9.8. These vulnerabilities are found in Treck TCP/IP stack version 6.0.1.67 and earlier and can be viewed as additions to the Ripple20 vulnerabilities announced in June. 

The components of the stack affected are:

• HTTP Server
• IPv6
• DHCPv6

The Treck TCP/IP stack affected is deployed in millions of IoT devices across multiple sectors, including information technology, manufacturing, and healthcare. 

How Can These Vulnerabilities Impact Healthcare?

If any of these vulnerabilities are exploited successfully, threat actors can gain remote access to connected medical and IoT devices in healthcare ecosystems, execute malicious code, and launch a denial of service (DoS) attack, jeopardizing clinical workflow, patient confidentiality, and/or safety:

1. CVE-2020-25066 - This is a heap-based buffer overflow vulnerability with a CVSS v3 base score of 9.8. It compromises components of the Treck HTTP Server and can enable threat actors to execute a DoS attack on affected devices. It may also enable threat actors to execute arbitrary code, which can tamper with ePHI and jeopardize patient safety.
2. CVE-2020-27337 - This is an out-of-bounds write  vulnerability in the IPv6 component of the stack. It has a CVSS v3 base score of 9.1 and can allow unauthenticated users access to the network that can result also in DoS, effectively disabling mission-critical medical devices.
3. CVE-2020-27338 - An out-of-bounds read vulnerability with a CVSS v3 base score of  5.9 that affects the DHCPv6 component in Treck IPv6. This vulnerability may allow unauthenticated user access to adjacent networks, leading to DoS.
4. CVE-2020-27336 - Another out-of-bounds read vulnerability with a CVSS v3 base score of 3.7. It differs from number 3 in it involves improper input validation in Treck IPv6 and can enable unauthenticated users network access and the ability to read up to three bytes of out-of-bounds data.

Devices Affected

Like Ripple20 vulnerabilities, these four vulnerabilities are embedded in Treck's TCP/IP Internet protocol suite library. This library is often incorporated into larger libraries and built into the source codes of many connected medical and non-medical IoT devices used by healthcare organizations. 

A number of devices are mission-critical and are directly involved in patient care:

• Baxter, Sigma series and B. Braun infusion pumps
• BeaconMedaes medical gas alarms
• Carestream radiology devices
• Schneider/APC UPS and power management devices
• Digi/Capsule connectivity engines
• HP and Ricoh printers

What Can You Do to Mitigate the Threat and How Can Cynerio Help?

The first thing healthcare facilities should do is patch affected products and, where possible, apply the latest remediated version.

Cynerio can help you be proactive and defensive. We’ll help you:

1. Locate affected devices across your networks with automated and ongoing inventory/device discovery and fingerprinting that includes model, OS, medical criticality, vendor information, and more
2. Conduct ongoing identification of devices affected and detail the scope of exposure
3. Define healthcare-safe Zero Trust policies that secure devices against unauthorized, unauthenticated, and unverified access by third parties and vendors

To ensure our customers are always at least one step ahead of the game, Cynerio always keeps track of additional advisories from CISA, the FDA, vendors, and others. With every release, we update our systems and send you a notification to keep you informed. 

Some Other Helpful Resources

Treck advisory

CISA advisory

Due to the severity and multitude of recent healthcare breaches, alongside newly discovered vulnerabilities, we’ve made our free risk assessment available until after this holiday season. Contact us today for more details.