Vulnerabilities are not present in mainline enterprise operating systems (OS) alone — they can also be found in the Real Time Operating Systems (RTOS) used in critical infrastructure, medical and other critical industries.
URGENT/11 is one of these RTOS vulnerabilities and has been discovered in third-party network communication software known as IPnet. This set of vulnerabilities is known to affect industrial, SCADA, medical and enterprise devices and offers us a great example of an RTOS vulnerability.
This article will detail the URGENT/11 vulnerability and will explore what URGENT/11 is, the vulnerabilities that URGENT/11 comprises, URGENT/11 attack scenarios and more.
What is an RTOS?
Before you can understand URGENT/11, you have to understand the universe it exists in. Most enterprise and consumer computer OS are general-purpose, which means they can run multiple applications at the same time to maximize system functionality for the user.
RTOS is a type of OS that has a far more predictable scheduler because it only runs one application at a time. This predictability is essential when information must be quickly processed without delay — including SCADA, medical and some enterprises. Security is almost more important for RTOS than general OS because any security compromise may disrupt its time-sensitive operations, so it is no surprise that vulnerabilities are rarer for RTOS.
What is URGENT/11?
Discovered by a research team at Armis Labs, URGENT/11 is a set of vulnerabilities found in weak code in a third-party network communication software called IPnet on the VxWorks RTOS, affecting all versions since 6.5 (excluding versions designed for certification). It should be noted that before VxWorks was acquired in 2006, IPnet was used with a variety of other RTOSs which may be impacted by URGENT/11, but there is no hard evidence of infection in these RTOSs.
URGENT/11 is a set of 11 different vulnerabilities. Six enable Remote Code Execution (RCE) and are classified as critical. The other five vulnerabilities in the set are denial of service, logical flaws or information leaks.
What makes URGENT/11 so concerning is that it allows attackers to take control of devices without user interaction and circumvent perimeter security devices, including NAT solutions and firewalls. URGENT/11 accomplishes the attack goal of delivering malware onto networks and connected devices and also gives attackers wide-ranging capabilities on impacted devices including shutting down infusion pumps, leaking information, infiltrating patient monitors and even the ability to fake a life-threatening emergency.
This type of vulnerability is considered “wormable” like the recent EternalBlue vulnerability that spread the WannaCry malware in 2017.
Vulnerabilities that comprise URGENT/11
URGENT/11 comprises 11 vulnerabilities:
Critical RCE vulnerabilities
- Stack overflow in IPv2 option parsing (CVE-2019-12256)
- DHCP Offer/ACK parsing heap overflow in ipdhcpc (CVE-2019-12257)
- Four memory corruption-based vulnerabilities centered around TCP URGENT pointer (CVE-2019-1255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263)
Vulnerabilities leading to DoS, information leak or logical flaws
- Malformed TCP options leading to TCP connection DoS (CVE-2019-12258)
- Unsolicited reverse ARP reply handling logical flaw (CVE-2019-12262)
- IPv4 assignment logical flaw by ipdhcpc DHCP client (CVE-2019-12264)
- IGMP parsing NULL dereference (DoS) (CVE-2019-12259)
- IGMP information leak (CVE-2019-12265)
What devices are at risk?
Armis researchers have estimated that more than two billion (yes, billion) devices are at risk of the URGENT/11 vulnerability. These are not mundane, run-of-the-mill devices either, but rather crucial devices including SCADA devices, infusion pumps and patient monitors.
Below is a partial list of impacted devices:
- Industrial controllers
- SCADA devices
- Infusion pumps
- Patient monitors
- MRI machines
- VOIP phones
URGENT/11 attack scenarios
URGENT/11 has been observed in three distinct attack scenarios.
Scenario 1: Attacking network defenses
This scenario affects VxWorks devices placed on a network’s perimeter (such as firewalls). Despite the high level of security these devices exhibit, URGENT/11 can commence direct attacks against these devices and take control over both the devices and eventually the network as well.
For example: There is a direct attack with a specially made TCP packet that takes control over all firewalls simultaneously, turning them into a formidable botnet that will compromise the networks they protect.
Scenario 2: Outside attack bypassing network security
This attack can impact any device running VxWorks with an external network connection. URGENT/11 can bypass security devices such as firewalls and NAT solutions on the perimeter and use low-level vulnerabilities that are viewed as benign network communications, thereby masking the attack.
For example: an attacker bypasses network security and intercepts a printer’s TCP connection (cloud application connected) to trigger an URGENT/11 RCE vulnerability present on the printer.
Scenario 3: Attacking from within the network
Once the network position has been established, attackers can send target devices packets that allow full device control without user interaction or prior information about the targeted device. URGENT/11 also allows for the breach of all vulnerable devices on the network at once, simply by broadcasting malicious packets through the network.
For example: a patient monitor with no internet connection sits behind layers of network security. Despite not being connected to the internet, an attacker can easily take over the device by broadcasting malicious packets.
URGENT/11 is a vulnerability affecting devices running the VxWorks RTOS. Affected devices span a range of critical infrastructure and medical devices, and the results of an attack that takes advantage of URGENT/11 vulnerabilities can be dramatic — including taking over a patient monitor and faking a life-threatening emergency.
Wind River, the company that owns VxWorks, has released update and patch information for impacted devices in a security alert which can be found here.