URGENT/11 vulnerability
Introduction
Vulnerabilities are not present in mainline enterprise operating systems (OS) alone — they can also be found in the Real Time Operating Systems (RTOS) used in critical infrastructure, medical and other critical industries.
URGENT/11 is one of these RTOS vulnerabilities and has been discovered in third-party network communication software known as IPnet. This set of vulnerabilities is known to affect industrial, SCADA, medical and enterprise devices and offers us a great example of an RTOS vulnerability.
Learn Vulnerability Management
This article will detail the URGENT/11 vulnerability and will explore what URGENT/11 is, the vulnerabilities that URGENT/11 comprises, URGENT/11 attack scenarios and more.
What is an RTOS?
Before you can understand URGENT/11, you have to understand the universe it exists in. Most enterprise and consumer computer OS are general-purpose, which means they can run multiple applications at the same time to maximize system functionality for the user.
RTOS is a type of OS that has a far more predictable scheduler because it only runs one application at a time. This predictability is essential when information must be quickly processed without delay — including SCADA, medical and some enterprises. Security is almost more important for RTOS than general OS because any security compromise may disrupt its time-sensitive operations, so it is no surprise that vulnerabilities are rarer for RTOS.
What is URGENT/11?
Discovered by a research team at Armis Labs, URGENT/11 is a set of vulnerabilities found in weak code in a third-party network communication software called IPnet on the VxWorks RTOS, affecting all versions since 6.5 (excluding versions designed for certification). It should be noted that before VxWorks was acquired in 2006, IPnet was used with a variety of other RTOSs which may be impacted by URGENT/11, but there is no hard evidence of infection in these RTOSs.
URGENT/11 is a set of 11 different vulnerabilities. Six enable Remote Code Execution (RCE) and are classified as critical. The other five vulnerabilities in the set are denial of service, logical flaws or information leaks.
What makes URGENT/11 so concerning is that it allows attackers to take control of devices without user interaction and circumvent perimeter security devices, including NAT solutions and firewalls. URGENT/11 accomplishes the attack goal of delivering malware onto networks and connected devices and also gives attackers wide-ranging capabilities on impacted devices including shutting down infusion pumps, leaking information, infiltrating patient monitors and even the ability to fake a life-threatening emergency.
This type of vulnerability is considered “wormable” like the recent EternalBlue vulnerability that spread the WannaCry malware in 2017.
Vulnerabilities that comprise URGENT/11
URGENT/11 comprises 11 vulnerabilities:
Critical RCE vulnerabilities
- Stack overflow in IPv2 option parsing (CVE-2019-12256)
- DHCP Offer/ACK parsing heap overflow in ipdhcpc (CVE-2019-12257)
- Four memory corruption-based vulnerabilities centered around TCP URGENT pointer (CVE-2019-1255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263)
Vulnerabilities leading to DoS, information leak or logical flaws
- Malformed TCP options leading to TCP connection DoS (CVE-2019-12258)
- Unsolicited reverse ARP reply handling logical flaw (CVE-2019-12262)
- IPv4 assignment logical flaw by ipdhcpc DHCP client (CVE-2019-12264)
- IGMP parsing NULL dereference (DoS) (CVE-2019-12259)
- IGMP information leak (CVE-2019-12265)
What devices are at risk?
Armis researchers have estimated that more than two billion (yes, billion) devices are at risk of the URGENT/11 vulnerability. These are not mundane, run-of-the-mill devices either, but rather crucial devices including SCADA devices, infusion pumps and patient monitors.
Below is a partial list of impacted devices:
- Industrial controllers
- SCADA devices
- Infusion pumps
- Patient monitors
- Firewalls
- MRI machines
- Printers
- VOIP phones
URGENT/11 attack scenarios
URGENT/11 has been observed in three distinct attack scenarios.
Scenario 1: Attacking network defenses
This scenario affects VxWorks devices placed on a network’s perimeter (such as firewalls). Despite the high level of security these devices exhibit, URGENT/11 can commence direct attacks against these devices and take control over both the devices and eventually the network as well.
For example: There is a direct attack with a specially made TCP packet that takes control over all firewalls simultaneously, turning them into a formidable botnet that will compromise the networks they protect.
Scenario 2: Outside attack bypassing network security
This attack can impact any device running VxWorks with an external network connection. URGENT/11 can bypass security devices such as firewalls and NAT solutions on the perimeter and use low-level vulnerabilities that are viewed as benign network communications, thereby masking the attack.
For example: an attacker bypasses network security and intercepts a printer’s TCP connection (cloud application connected) to trigger an URGENT/11 RCE vulnerability present on the printer.
Scenario 3: Attacking from within the network
Once the network position has been established, attackers can send target devices packets that allow full device control without user interaction or prior information about the targeted device. URGENT/11 also allows for the breach of all vulnerable devices on the network at once, simply by broadcasting malicious packets through the network.
For example: a patient monitor with no internet connection sits behind layers of network security. Despite not being connected to the internet, an attacker can easily take over the device by broadcasting malicious packets.
Conclusion
URGENT/11 is a vulnerability affecting devices running the VxWorks RTOS. Affected devices span a range of critical infrastructure and medical devices, and the results of an attack that takes advantage of URGENT/11 vulnerabilities can be dramatic — including taking over a patient monitor and faking a life-threatening emergency.
Wind River, the company that owns VxWorks, has released update and patch information for impacted devices in a security alert which can be found here.
Learn Vulnerability Management
Sources
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- URGENT/11 vulnerability
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
