VDE-2020-024
Vulnerability from csaf_mieleciekg - Published: 2020-07-08 07:29 - Updated: 2025-05-14 12:28Summary
Miele: Treck TCP/IP Vulnerabilities (Ripple20) affecting Communication Module XKM3000 L MED
Notes
Summary: For process data documentation purposes the laboratory washers, thermal disinfectors and washer-disinfectors can be integrated in a TCP/IP network by utilizing the affected communication module.
The communication module is separate from the actual device control and uses a chipset from Digi International.
The TCP / IP stack required for networking is implemented in this chipset with the help of a 3rd party library from Treck. External security researchers have identified several security holes in this library called Ripple20. The most critical vulnerability allows an external attacker to execute arbitrary code on the chip and thus also on the communication module.
The above named communication module can be integrated into the following laboratory washers, thermal disinfectors and washer- disinfectors:
- PG 8581
- PG 8582
- PG 8583
- PG 8583 CD
- PG 8591
- PG 8582 CD
- PG 8592
- PG 8593
- PG 8562
Impact: The communication modules intended functionality (process documentation) cannot be guaranteed after a successful attack – authenticity availability and integrity of the data are at risk.
The security issue has no impact on the devices safety and cleaning and disinfection results of the laboratory washers, thermal disinfectors and washer-disinfectors.
Remediation: A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
Mitigation: The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.
10 (Critical)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 5.0.1.35 has an Out-of-Bounds Write via multiple malformed IPv6 packets.
10 (Critical)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which might allow remote attackers to trigger an information leak.
9.1 (Critical)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 allows Remote Code execution via a single invalid DNS response.
9 (Critical)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.41 has an IPv4 tunneling Double Free.
8.2 (High)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 has an IPv6OverIPv4 tunneling Out-of-bounds Read.
7.3 (High)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 has an Integer Overflow during Memory Allocation that causes an Out-of-Bounds Write.
7.3 (High)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 has a DHCPv6 Out-of-bounds Read.
6.5 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.28 has a DHCP Out-of-bounds Read.
6.5 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 has an Ethernet Link Layer Integer Underflow.
6.3 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 improperly handles a Length Parameter Inconsistency in TCP.
6.3 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.
5.4 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 has an ICMPv4 Out-of-bounds Read.
5.3 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 has an IPv4 Integer Underflow.
5.3 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 has a TCP Out-of-bounds Read.
5.3 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.
5.3 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 has Improper ICMPv4 Access Control.
5.3 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 4.7.1.27 mishandles '\0' termination in DHCP.
4.3 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
The Treck TCP/IP stack before 6.0.1.66 has an ARP Out-of-bounds Read.
4.3 (Medium)
Mitigation
The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.
Vendor Fix
A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.
References
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "For process data documentation purposes the laboratory washers, thermal disinfectors and washer-disinfectors can be integrated in a TCP/IP network by utilizing the affected communication module.\n\nThe communication module is separate from the actual device control and uses a chipset from Digi International.\n\nThe TCP / IP stack required for networking is implemented in this chipset with the help of a 3rd party library from Treck. External security researchers have identified several security holes in this library called Ripple20. The most critical vulnerability allows an external attacker to execute arbitrary code on the chip and thus also on the communication module.\n\nThe above named communication module can be integrated into the following laboratory washers, thermal disinfectors and washer- disinfectors:\n\n- PG 8581\n- PG 8582\n- PG 8583\n- PG 8583 CD\n- PG 8591\n- PG 8582 CD\n- PG 8592\n- PG 8593\n- PG 8562",
"title": "Summary"
},
{
"category": "description",
"text": "The communication modules intended functionality (process documentation) cannot be guaranteed after a successful attack \u2013 authenticity availability and integrity of the data are at risk.\n\nThe security issue has no impact on the devices safety and cleaning and disinfection results of the laboratory washers, thermal disinfectors and washer-disinfectors.",
"title": "Impact"
},
{
"category": "description",
"text": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"title": "Remediation"
},
{
"category": "description",
"text": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"title": "Mitigation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@miele.com",
"name": "Miele \u0026 Cie KG",
"namespace": "https://www.miele.com"
},
"references": [
{
"category": "self",
"summary": "VDE-2020-024: Miele: Treck TCP/IP Vulnerabilities (Ripple20) affecting Communication Module XKM3000 L MED - HTML",
"url": "https://certvde.com/en/advisories/VDE-2020-024/"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Miele",
"url": "https://certvde.com/de/advisories/vendor/miele/"
},
{
"category": "self",
"summary": "VDE-2020-024: Miele: Treck TCP/IP Vulnerabilities (Ripple20) affecting Communication Module XKM3000 L MED - CSAF",
"url": "https://miele.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-024.json"
}
],
"title": "Miele: Treck TCP/IP Vulnerabilities (Ripple20) affecting Communication Module XKM3000 L MED",
"tracking": {
"aliases": [
"VDE-2020-024"
],
"current_release_date": "2025-05-14T12:28:19.000Z",
"generator": {
"date": "2024-11-13T14:53:10.377Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.13"
}
},
"id": "VDE-2020-024",
"initial_release_date": "2020-07-08T07:29:00.000Z",
"revision_history": [
{
"date": "2020-07-08T07:29:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-05-14T12:28:19.000Z",
"number": "2",
"summary": "Fix: version space"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "XKM3000 L MED",
"product": {
"name": "Hardware XKM3000 L MED",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"10440980",
"09902230"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.9.x",
"product": {
"name": "Firmware \u003c=1.9.x",
"product_id": "CSAFPID-21002"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "Miele"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=1.9.x installed on Hardware XKM3000 L MED",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11001"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11896",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 10,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"temporalScore": 10,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11896"
},
{
"cve": "CVE-2020-11897",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 5.0.1.35 has an Out-of-Bounds Write via multiple malformed IPv6 packets.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 10,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"temporalScore": 10,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11897"
},
{
"cve": "CVE-2020-11898",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which might allow remote attackers to trigger an information leak.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11898"
},
{
"cve": "CVE-2020-11901",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 allows Remote Code execution via a single invalid DNS response.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"temporalScore": 9,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11901"
},
{
"cve": "CVE-2020-11900",
"cwe": {
"id": "CWE-415",
"name": "Double Free"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.41 has an IPv4 tunneling Double Free.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 8.2,
"environmentalSeverity": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 8.2,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11900"
},
{
"cve": "CVE-2020-11902",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 has an IPv6OverIPv4 tunneling Out-of-bounds Read.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"environmentalScore": 7.3,
"environmentalSeverity": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.3,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11902"
},
{
"cve": "CVE-2020-11904",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 has an Integer Overflow during Memory Allocation that causes an Out-of-Bounds Write.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"environmentalScore": 7.3,
"environmentalSeverity": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.3,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11904"
},
{
"cve": "CVE-2020-11905",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 has a DHCPv6 Out-of-bounds Read.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 6.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11905"
},
{
"cve": "CVE-2020-11903",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.28 has a DHCP Out-of-bounds Read.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 6.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11903"
},
{
"cve": "CVE-2020-11906",
"cwe": {
"id": "CWE-191",
"name": "Integer Underflow (Wrap or Wraparound)"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 has an Ethernet Link Layer Integer Underflow.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 6.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 6.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11906"
},
{
"cve": "CVE-2020-11907",
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 improperly handles a Length Parameter Inconsistency in TCP.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 6.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 6.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11907"
},
{
"cve": "CVE-2020-11899",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.4,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.4,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11899"
},
{
"cve": "CVE-2020-11910",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 has an ICMPv4 Out-of-bounds Read.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11910"
},
{
"cve": "CVE-2020-11909",
"cwe": {
"id": "CWE-191",
"name": "Integer Underflow (Wrap or Wraparound)"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 has an IPv4 Integer Underflow.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11909"
},
{
"cve": "CVE-2020-11912",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 has a TCP Out-of-bounds Read.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11912"
},
{
"cve": "CVE-2020-11913",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11913"
},
{
"cve": "CVE-2020-11911",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 has Improper ICMPv4 Access Control.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11911"
},
{
"cve": "CVE-2020-11908",
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 4.7.1.27 mishandles \u0027\\0\u0027 termination in DHCP.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 4.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 4.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11908"
},
{
"cve": "CVE-2020-11914",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "The Treck TCP/IP stack before 6.0.1.66 has an ARP Out-of-bounds Read.",
"title": "Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The intended use of the devices and the networking functionalities do not require internet connection. Please operate the devices only in a secure local network to further reduce the risk.",
"product_ids": [
"CSAFPID-31003"
]
},
{
"category": "vendor_fix",
"details": "A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.",
"product_ids": [
"CSAFPID-31003"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 4.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 4.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31003"
]
}
],
"title": "CVE-2020-11914"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…