Vulnerability in IPnet Now Impacts Devices Using Six Additional Operating Systems
Palo Alto, CA – October 1, 2019
Armis, the leading enterprise IoT security company, announced today the discovery that URGENT/11 impacts devices using six additional Real Time Operating Systems (RTOS) that supported IPnet TCP/IP stack, including OSE by ENEA, Integrity by Green Hills, ThreadX by Microsoft, Nucleus RTOS by Mentor, ITRON by TRON Forum, and ZebOS by IP Infusion. This new discovery expands the reach of URGENT/11 to potentially millions of additional medical, industrial and enterprise devices.
Armis confirmed the expanded exposure after being contacted by a hospital, which was using the Armis security platform. Through Armis, the hospital identified an infusion pump impacted by URGENT/11, which was not running VxWorks, but OSE by ENEA. The device was a BD Alaris infusion pump (BD Alaris™ PC Unit). Armis worked with BD to confirm the Alaris infusion pump was impacted. Infusion pumps play a critical role in hospitals delivering fluids, medications, blood and blood products.
“The key takeaway from the BD Alaris discovery is that the URGENT/11 vulnerabilities have a much wider impact than first believed,” said Ben Seri, vice president of research & head of Armis Labs. “While we considered the possibility of operating systems other than VxWorks being affected, which we referenced in our original disclosure, the BD Alaris pump provided confirmation of the complexity and broader reach of these vulnerabilities.”
As a part of a coordinated vulnerability disclosure process, FDA, DHS, and manufacturers are releasing communications to make public health stakeholders aware of these vulnerabilities and actions that they can take to mitigate risk. To the best of all organizations’ knowledge, there is no indication the URGENT/11 vulnerabilities have been exploited in the wild.
This announcement is a follow-up to the original URGENT/11 disclosure announcement on July 29, 2019, that prompted a multi-industry effort to address the critical vulnerabilities that were discovered. More than 30 vendors have issued security advisories on URGENT/11, including leading medical manufacturers such as GE Healthcare, Philips , Drager, and now BD . At the Black Hat conference this past August, Armis researchers demonstrated the critical impact of URGENT/11 on medical devices, by taking over the Xprezzon hospital bedside patient monitor by Spacelabs. Today, Spacelabs has released its advisory and updates as well. The FDA and DHS has also issued communications encouraging device manufacturers to take immediate action to determine if they are impacted and take the necessary actions.
The healthcare and manufacturing sectors are primary users of RTOSs for their devices. These devices undergo a much longer period of development and approvals than consumer devices, and have significantly longer life cycles once in use, which is why they are especially prone to vulnerabilities in legacy code. Since the July 2019 announcement, Armis has been able to validate the impact of the additional RTOSs mentioned above which use IPnet, by analyzing various devices based on each OS that were also found vulnerable to URGENT/11:
Only devices running IPnet on these RTOSs would be impacted (e.g. does not impact Green Hills using GHNet TCP/IP stack).
Armis is the leading agentless, enterprise-class security platform to address the new threat landscape of unmanaged and IoT devices. Fortune 1000 companies trust our unique out-of-band sensing technology to discover and analyze all managed, unmanaged, un-agentable and IoT devices—from traditional devices like laptops and smartphones to new unmanaged smart devices like smart TVs, webcams, printers, HVAC systems, industrial control systems, medical devices and more. Armis discovers devices on and off the network, continuously analyzes endpoint behavior to identify risks and attacks, and protects critical information and systems by identifying suspicious or malicious devices and quarantining them. Headquartered in Palo Alto, California, Armis is a privately held company. Follow us on Twitter, LinkedIn and Facebook.
Head of Corporate Communications
Sign up to receive the latest news