The US Department of Homeland Security and the US Food and Drug Administration (FDA) have published advisories this week warning about a much broader impact of the Urgent/11 vulnerabilities, which impact more operating systems than initially thought.
The Urgent/11 security flaws were initially disclosed over the summer by cyber-security firm Armis. They allow attackers to run malicious code and take over a wide range of devices, from routers to firewalls, and from printers to industrial equipment.
Security researchers initially believed Urgent/11 only impacted devices using VxWorks, a real-time operating system (RTOS) created by Wind River.
The actual issue was tracked down to IPnet, a TCP/IP networking library that was part of VxWorks.
New operating systems discovered vulnerable
However, additional testing over the summer confirmed that devices running real-time operating systems were also impacted, such as OSE created by ENEA, INTEGRITY created by Green Hills, Microsoft’s ThreadX, ITRON by TRON Forum, Mentor’s Nucleus RTOS, and ZebOS, a routing platform which provides TCP/IP services for other operating systems.
Now, the DHS is urging companies to check the technical specifications of the devices they’re using and see if they’re running any of the affected operating systems.
To help, Armis has released a tool that scans networks for devices that contain the IPnet networking stack and are vulnerable to the Urgent/11 vulnerabilities.
In a similar advisory, the FDA is urging hospitals and other healthcare providers to do the same. The only medical devices that have been confirmed as being vulnerable to Urgent/11 is the BD Alaris infusion pump and the Xprezzon patient monitor; however, many more could also be susceptible to attacks.
Hardware and software vendors react
Since the initial Urgent/11 disclosure, many hardware manufacturers have issued security advisories for customers on how to handle vulnerable equipment, along with patches. Below is a list of Urgent/11 security advisories published by various companies:
In addition, the makers of operating systems that have been recently deemed vulnerable to Urgent/11 have also issued their own statements, via the DHS.
ENEA, the maker of OSE, recommended that affected users upgrade to a newer version of OSE or contact WindRiver (now the license holder for Interpeak) for compensating controls.
Green Hills Software, the maker of INTEGRITY, also said that affected users should contact Wind River.
Microsoft said they never supported IPnet inside ThreadX, and that some hardware makers could have used ThreadX and a custom set IPnet in the hardware, and as a result, some equipment running ThreadX might show up as vulnerable.
TRON Forum said they only publish the specification for the ITRON RTOS, and that hardware makers are free to use the specification as they wish, including using IPnet as a networking stack; however, they never recommended this particular library in the specification. TRON Forum said it would send out a warning to members via its mailing list to notify implementors of the reported vulnerabilities.
The other two vendors did not share a statement in the DHS alert.