How to Protect Against URGENT/11

If you have read our press rlease and blog describing the vulnerabilities known as URGENT/11 that affect Wind River® VxWorks® operating systems, you know how unusual and how serious these vulnerabilities are.

URGENT/11 is also unusual from a risk mitigation point of view, for two reasons:

1. Device types: None of the devices that contain URGENT/11 vulnerabilities can be protected by traditional security agents. Moreover, many of the impacted devices are sensitive devices that are used in industrial, manufacturing, or healthcare delivery environments; scanning or probing these devices with a traditional network vulnerability scanner is unwise because those actions are likely to disrupt or crash the devices.
2. Attack types: The exploitation of URGENT/11 occurs at a very low level, in the TCP/IP stack. All of the potential URGENT/11 attacks would be “fileless” attacks, so they can’t be detected or blocked by many kinds of network security products (e.g. network sandbox, web filters, network traffic analysis).

So, what should you do? Here are three strategies that we recommend for all enterprises.

These recommendations are for end-user organizations that use devices that may be running VxWorks. If you are a device manufacturer that builds devices based on VxWorks, please patch impacted devices immediately. Update and patch information can be found in the Wind River Security Alert posted on the company’s Security Center.

Strategy 1: Identify and Patch All Vulnerable Devices

The first step in this strategy is to identify all devices that contain URGENT/11 vulnerabilities. A good vulnerability assessment tool should be able to do this. But, as stated above, if you have any critical environments such as manufacturing, process control, or healthcare delivery, you should avoid using a vulnerability assessment tool that relies on scanning or probing because these actions can disrupt or crash your vulnerable devices. Some vulnerability assessment tools, such as Armis, are based on passive technologies which do not endanger devices. Learn more about Armis’ discovery capabilities.

Once all vulnerable devices have been identified, reach out to the device manufacturers for information about patching the software on each device.

Strategy 2: Shield All Vulnerable Devices Via Network Controls

If you have a vulnerable device with a direct Internet connection, e.g. a firewall, this strategy involves placing a device which is not vulnerable between the Internet and your vulnerable device. This could be useful as a temporary measure until the vulnerable device(s) can be patched.

The vast majority of vulnerable devices will not have direct Internet connections. For these devices, Strategy 2 is about isolating your vulnerable devices within a small subnet. The key here is to protect all of your vulnerable devices from receiving a broadcast packet from an attacker that has already compromised another device on the local LAN. Only routers can block this type of attack because, by design, broadcast packets do not traverse network segments.

To learn more about network segmentation, you may wish to download this report and read the recommendations by Gartner Vice President Tim Zimmerman.

We should point out that Strategy 2 is not easy. Network segmentation and “microsegmentation” on the basis of device type is a strategy that has been promoted by network equipment vendors for many years, but adoption has been limited due to the large amount of human effort that is required to implement and maintain a highly granular segmented network.

Furthermore, Strategy 2 should only be used as a temporary measure until vulnerable devices can be patched or replaced. This is because network components themselves are quite vulnerable to attack; and once compromised, a router can no longer protect the devices that are contained within the subnets controlled by the router. Armis previously demonstrated the vulnerability of network equipment at the RSA 2018 conference.

If you choose to implement this network segmentation strategy, you should also consider putting some type of network monitoring system in place that validates the integrity of your network segmentation. Very often, unexpected connection pathways exist, for example leveraging P2P or Wi-Fi hotspot connections that were unknown at the time that the network segmentation strategy was implemented.

Armis can help both with the planning and validation of your network segmentation strategy. For more information about Armis’ ability to discover network connections, see here.

Strategy 3: Monitor the Behavior of all Vulnerable Devices for Indications of Compromise

For the same reason that most people monitor the behavior of their corporate-owned computers for indications of compromise, you should probably also monitor all devices that are running vulnerable versions of VxWorks for indications of compromise. As previously stated, devices running VxWorks can’t accommodate an EDR (endpoint detection and response) agent, so the monitoring needs to be done at the network level. This is another one of Gartner’s recommendations (see the report previously mentioned).

Here again, Armis can help. Using an agentless approach, Armis continuously monitors the state and behavior of all devices on your network and in your airspace for indicators of compromise and live attack patterns. Armis compares real-time device activity to established, “known-good” baselines that are stored in the Armis Device Knowledgebase. When a device begins to operate outside of its normal known-good profile, Armis issues an alert or triggers automated actions. The alert can be caused by a misconfiguration, a policy violation, or—in the case of URGENT/11—abnormal behavior such as inappropriate connections and malformed TCP/IP packets that indicate an attack.

Because Armis leverages a crowd-sourced Device Knowledgebase, Armis can detect compromised devices immediately upon deployment. There is no learning period or tuning period. And unlike legacy behavior anomaly tools that simply look at deviations from historical traffic flows, Armis generates practically zero false positives.

I hope everyone reading this article is able to take all the steps that are necessary to mitigate the risks introduced by URGENT/11.