Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/2/2019
04:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Millions More Embedded Devices Contain Vulnerable IPnet Software

FDA, DHS issue fresh warnings on easily exploitable URGENT/11 flaws in medical, SCADA systems, industrial controllers, and other devices.

A substantially greater number of real-time operating systems (RTOSes) powering critical medical, industrial, and enterprise devices, are affected by a set of recently discovered security vulnerabilities than were originally reported.

Armis, which earlier this year disclosed as many as 11 zero-day bugs in VxWorks RTOS—an OS embedded in over two billion devices—this week described five other similar operating systems that also contain the flaws as well.

The vulnerabilities allow attackers to remotely take control of systems and execute code of their choice on them to change their function, steal data, cause denial-of-service attacks, and other digital mayhem. The list of devices impacted by the flaws includes SCADA systems and industrial controllers, patient monitors, MRI machines, firewalls, and network-connected printers.

Armis identified the five products newly discovered as being vulnerable as ThreadX by Microsoft; Operating System Embedded (OSE) from Enea; Integrity by Green Hills; Itron from the Tron Forum; and Nucleus RTOS by Mentor. Also impacted is ZebOS, a routing framework from IP Infusion that many network component manufacturers use in routers, switches, and other products, Armis said.

Older versions of these operating systems support IPnet, the same VxWorks TCP/IP stack in which Armis first discovered the 11 zero-day vulnerabilities. That's because the original developer of IPnet was a company called Interpeak, which sold the TCP/IP stack as a third-party library to multiple OS and device makers for several years.  

Armis' updated report prompted warnings this week from the US Food and Drug Administration and the Department of Homeland Security.

The stack was usually sold as a "one-time chunk of code" under a perpetual license mode—sometimes directly and sometimes via resellers, Armis said. Organizations that purchased it received little or no further updates and in many cases those who purchased the software under a perpetual license cannot be traced.

In 2006, Wind River, the developer of VxWorks, acquired Interpeak. Since then, other RTOS vendors have gradually stopped integrating IPnet in their products.

Even so, there are many devices—with very long life cycles—online today with operating systems containing one or more of the 11 security flaws, Armis said. "This combination of embedded, and at times, untraceable code which receives no updates creates a time bomb for any bug discovered in the original code," the vendor warned in a report this week.

When Armis originally reported the so-called URGENT/11 bugs in July, the company estimated that some 200 million devices running versions of VxWorks spanning a 13-year period were open to exploit. The new discovery suggests that potentially millions of additional medical, enterprise, and industrial devices are impacted as well, the vendor noted.

Broad Exposure

Ben Seri, vice president of research at Armis, says it's hard to put a finite number on the additional exposure. Devices that Armis has confirmed are vulnerable include the popular Alaris infusion pumps from Becton Dickinson, various Canon and Ricoh printers, and a component used by certain HP Proliant servers. "Combining these examples, we estimate the additional impact is within millions of devices," he says.

Impacted device manufacturers will need to choose whether to upgrade their systems to newer RTOS versions that do not use IPnet, or they will need to contact Wind River to obtain patches. The latter might prove difficult, since the patches that Wind River has developed are only for the latest version of IPnet, Seri notes.

Some vulnerable devices also lack the capability to update entirely, which is what makes these vulnerabilities so important to protect against, he says. Mitigations include limiting the connectivity of any critical device and implementing network segmentation that limits network access to vulnerable devices. "In addition, there are various firewall and IDS rules that can be put in place, to prevent certain vulnerabilities from becoming a threat to medical devices, and this too can help reduce the risk," Seri says.

From an exploitation standpoint, the vulnerabilities present few challenges. Most of the flaws are what Seri describes as basic memory corruption issues such as stack and heap overflows that attackers have attacked for years. Even so, "reaching full remote-code-execution through these vulnerabilities would require some customization of an exploit, for each type of impacted device," he says.

The FDA said the vulnerabilities pose a threat to certain medical devices and hospital networks and urged device manufacturers to conduct risk assessments and find out from their operating system vendor about patch availability. It also urged healthcare providers to notify patients using medical devices impacted by the flaws and advised healthcare IT staff to monitor logs for URGENT/11 exploits.

In its advisory, the DHS provided an updated list of all operating systems impacted by the vulnerabilities and suggested mitigations for them.

"One of the biggest challenges towards addressing URGENT/11 is going to be quite simply the lack of visibility into what is vulnerable," says Craig Young, security researcher for Tripwire's Vulnerability and Exposure Research Team.

Vendors typically do not market their products based on their protocol software stack, and heuristic checks for URGENT/11 are likely difficult especially for those concerned about crashing their systems, he says. "A good starting point, however, is to use network stack fingerprinting techniques to identify likely VxWorks derived products and contact vendors for updates."

Young says the most likely risk from attacks is disruption. Many of the flaws rely on the ability to deliver corrupt datagrams to the targeted device over a network. "In a lot of cases, routers, switches, or basic security devices will filter this traffic such that the attacker effectively must originate attack traffic on the same physical network segment as the target."

The likelihood of adversaries exploiting the vulnerabilities to launch widescale attacks are low he says. "I would, however, expect that several intelligence agencies are already capable of using this to get code execution on specific targets of value," Young adds.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Inestimable Values of an Attacker's Mindset & Alex Trebek"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.