Armis Discovers Expanded Reach of URGENT/11 That Highlights Risk to Medical Devices

Vulnerability in IPnet Now Impacts Devices Using Six Additional Operating Systems

Urgent/11 Affects Additional RTOs Iand Impact Highlights Risks to Medical Devices

PALO ALTO, Calif., Oct. 1, 2019 -- Armis, the leading enterprise IoT security company, announced today the discovery that URGENT/11 impacts devices using six additional Real Time Operating Systems (RTOS) that supported IPnet TCP/IP stack, including OSE by ENEA, Integrity by Green Hills, ThreadX by Microsoft, Nucleus RTOS by Mentor, ITRON by TRON Forum, and ZebOS by IP Infusion. This new discovery expands the reach of URGENT/11 to potentially millions of additional medical, industrial and enterprise devices.

Armis confirmed the expanded exposure after being contacted by a hospital, which was using the Armis security platform. Through Armis, the hospital identified an infusion pump impacted by URGENT/11, which was not running VxWorks, but OSE by ENEA. The device was a BD Alaris infusion pump (BD Alaris™ PC Unit). Armis worked with BD to confirm the Alaris infusion pump was impacted. Infusion pumps play a critical role in hospitals delivering fluids, medications, blood and blood products.

“The key takeaway from the BD Alaris discovery is that the URGENT/11 vulnerabilities have a much wider impact than first believed,” said Ben Seri, vice president of research & head of Armis Labs. “While we considered the possibility of operating systems other than VxWorks being affected, which we referenced in our original disclosure, the BD Alaris pump provided confirmation of the complexity and broader reach of these vulnerabilities.”

As a part of a coordinated vulnerability disclosure process, FDA, DHS, and manufacturers are releasing communications to make public health stakeholders aware of these vulnerabilities and actions that they can take to mitigate risk. To the best of all organizations’ knowledge, there is no indication the URGENT/11 vulnerabilities have been exploited in the wild.

This announcement is a follow-up to the original URGENT/11 disclosure announcement on July 29, 2019, that prompted a multi-industry effort to address the critical vulnerabilities that were discovered. More than 30 vendors have issued security advisories on URGENT/11, including leading medical manufacturers such as GE Healthcare, Philips , Drager, and now BD . At the Black Hat conference this past August, Armis researchers demonstrated the critical impact of URGENT/11 on medical devices, by taking over the Xprezzon hospital bedside patient monitor by Spacelabs. Today, Spacelabs has released its advisory and updates as well. The FDA and DHS has also issued communications encouraging device manufacturers to take immediate action to determine if they are impacted and take the necessary actions.

The healthcare and manufacturing sectors are primary users of RTOSs for their devices. These devices undergo a much longer period of development and approvals than consumer devices, and have significantly longer life cycles once in use, which is why they are especially prone to vulnerabilities in legacy code. Since the July 2019 announcement, Armis has been able to validate the impact of the additional RTOSs mentioned above which use IPnet, by analyzing various devices based on each OS that were also found vulnerable to URGENT/11:

  • BD Alaris™ PC Unit (based on OSE)
  • HP Proliant iLO100 management engine (based on Nucleus)
  • Canon MF4270 Printer (based on ThreadX)
  • ArrowSpan MeshAP 1100 (based on INTEGRITY)
  • Planex SPX-2420GL Router (based on ZebOS)

Only devices running IPnet on these RTOSs would be impacted (e.g. does not impact Green Hills using GHNet TCP/IP stack).

Updates and Mitigations

  • Armis provided an URGENT/11 signature and Snort rules to be freely used by Firewall and IDS solutions to detect and help prevent any attempt to exploit these vulnerabilities.
  • Armis released a free downloadable tool , which can identify any device that uses IPnet, whether VxWorks-based or otherwise. This is an active tool, unlike the passive detection that is only available via the Armis solution.
  • Device manufacturers deploying devices with VxWorks  or other impacted RTOSs should reach out to the appropriate software company for information on how to patch impacted devices immediately. Update and patch information from Wind River can be found in the Wind River Security Alert posted on the company’s Security Center
  • Organizations using impacted devices should work with manufacturers to implement mitigations for their devices. Mitigations may include patching, upon patch validation by the device manufacturer.

Additional information:

About Armis

Armis is the leading agentless, enterprise-class security platform to address the new threat landscape of unmanaged and IoT devices. Fortune 1000 companies trust our unique out-of-band sensing technology to discover and analyze all managed, unmanaged, un-agentable and IoT devices—from traditional devices like laptops and smartphones to new unmanaged smart devices like smart TVs, webcams, printers, HVAC systems, industrial control systems, medical devices and more. Armis discovers devices on and off the network, continuously analyzes endpoint behavior to identify risks and attacks, and protects critical information and systems by identifying suspicious or malicious devices and quarantining them. Headquartered in Palo Alto, California, Armis is a privately held company. Follow us on Twitter, LinkedIn and Facebook.