Unpatched, Unprepared, Unprotected: How Critical Device Vulnerabilities Remain Unaddressed
By Ben Seri, VP of Research
97% of URGENT/11 and 80% of CDPwn Vulnerable Devices Remain Unpatched Putting Thousands of Organizations at Risk of Attack
Armis has continued to track the exposures from the URGENT/11 and CDPwn exploit discoveries over the past 18 months. Based on that research, we have identified that 97% of the OT devices impacted by URGENT/11 have not been patched; and 80% of those affected by CDPwn remain unpatched. As startling as those figures are, it is even more concerning when you break the data down by industry and understand what is at risk.
NSA & CISA Warn These Devices Are Being Targeted
The seriousness of these unpatched and exploitable devices has become even more of an issue given the three critical issues outlined below. These devices are not simply used in everyday businesses but are core to our healthcare, manufacturing, and energy industries. And over the last few months, there have been repeated warnings of attacks on these devices.
1) NSA Warns CDPwn One of Top 25 Targeted Attacks from China
On October 20, 2020, the NSA published a report identifying the Top 25 vulnerabilities that are currently being consistently scanned, targeted, and exploited by Chinese state-sponsored hacking groups. CDPwn (CVE-2020-3118) was identified as #24 on the list. By exploiting the CDPwn vulnerabilities attackers could eavesdrop on voice and video data/calls and video feeds, break network segmentation, set up man-in-the-middle attacks, or exfiltrate critical information.
2) NSA & CISA Alert AA20-205A: A “Perfect Storm” For Attack on Infrastructure
On July 23, 2020, the NSA and CISA jointly issued Alert AA20-205A to all critical infrastructure and service operations that rely upon operational technology (OT) systems to deliver core services. The alert stressed that the combination of Internet-accessible OT systems and the fact that most legacy OT devices are not designed to defend against malicious cyber activity creates a “perfect storm.” Corrective steps recommended included patching, which our research shows is not happening nearly fast enough.
3) CISA, FBI, & HHS Alert AA20-302A - Hospitals Warned of Imminent Ransom-based Attacks
October 28th, 2020, the CISA, FBI, and HHS issued alert AA20-302A - warning of tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with ransomware, notably Ryuk, TrickBot, and Conti. This alert was particularly concerning given the rising number of hospitalizations due to the urge of COVID-19 cases - not to mention the forthcoming vaccine production and distribution. On December 3, 2020, IBM Security X-Force (who partners with Armis) reported on malicious cyber actors targeting the COVID-19 cold chain—an integral part of delivering and storing the vaccine at safe temperatures.
URGENT/11 impacted medical devices as noted in our October 2019 update. However, some manufacturers did not provide updates. Even for those that did, it is a labor-intensive program to update impacted devices.
Cisco did provide patches for CDPwn in conjunction with our disclosure.
URGENT/11 Exposures Remain a Risk
The URGENT/11 vulnerabilities affect enterprise devices, medical devices, as well as operation technology (OT), industrial control systems (ICS), and programmable logic controllers (PLC). Affected devices are typically used in production and manufacturing environments to carry out various mission-critical tasks, such as monitoring and control of physical devices that operate various instruments (e.g motors, valves, pumps, etc.)
Using one of the critical RCE (remote-code-execution) vulnerabilities from URGENT/11, we were able to exploit two of the most common PLCs — the Control Logix Ethernet module 1756-EN2TR from Rockwell Automation, and the Modicon M580 from Schneider Electric. In the case of the Rockwell Automation PLC, we were able to take control of the Ethernet module that manages communication between the PLC and the engineering workstation and gain unconstrained access over the PLC. In the case of the Schneider Electric PLC, the Ethernet module is built-in within the Modicon PLC, thus by taking over it we had also gained ring-0 access to the entire PLC. The developed exploit does not require any type of authentication, or user-interaction. With this level of access, an attacker can alter code on the PLC and change incoming or outgoing messages—sending false or misleading data to the engineering workstation.
In last October, Armis researchers Barak Hadad and Dor Zusman presented a talk at BlackHat Asia, on the effects of URGENT/11 on the OT sector, and on PLCs specifically. Their talk presented a deep dive on the defenses that exist within Schneider Electric, and Rockwell Automation PLCs, and demonstrated how these fall short when confronted with the URGENT/11 vulnerabilities, as shown in the videos below.
Demo of a Rockwell PLC Takeover
Demo of a Schneider Electric PLC Takeover
Demo of a Broadcast DoS Takeover
Securing From CDPwn
As mentioned, even though Cisco released patches in conjunction with our disclosure of the CDPwn vulnerabilities, the majority of impacted devices remain unpatched (80%). CDPwn vulnerabilities impact tens of millions of enterprise devices including switches, routers, VoIP phones, and IP cameras. While most attacks occur at the Application or Network layers, this exploit of CDP is unusual as it is a Layer 2 Data Link Layer (DLL) protocol.
There are many potential implications of CDPwn vulnerabilities. We were able to develop an exploit that defeats built-in mitigations that are used by the vulnerable Cisco devices (such as ASLR, address space layout randomization) and demonstrate that it is possible to take control over all VoIP phones on a given local network segment simultaneously, using maliciously crafted Ethernet broadcast packets. A broadcast attack of this nature is extremely rare, and holds a uniquely powerful capability for an attacker, in which he does not need to carry out any reconnaissance steps to identify specific targets, and can simply use an opportunistic approach, sending the maliciously crafted broadcast packets to the network, and take-over any vulnerable devices on the same LAN, in parallel.
In the same BlackHat Asia Conference mentioned above, Barak Hadad and myself presented a talk on the challenges in developing an exploit that can overcome the built-in mitigations in Cisco devices (ASLR, amongst other), while still being used in a broadcast fashion.
Demo of Cisco VOIP Phone Takeover
Critical Exposures Remain
Healthcare and medical devices, as well as OT systems and PLCs, were traditionally outside of the IP network in their own segmented world. The introduction of IoMT and industrial IoT combined with the drive to centrally manage and monitor those environments and share data has led increasingly to having them connected to the network and accessible via the Internet. That creates a scenario where combining the CDPwn and URGENT/11 vulnerabilities represents a very serious risk to these environments—giving attackers the opportunity to take over Cisco network equipment, move laterally across the network, and gain access to mission-critical devices like infusion pumps and PLCs. An attacker can infiltrate a network, lie in wait, and conduct reconnaissance undetected, then execute an attack that could cause significant financial or property damage, impact production or operations, or impact patient delivery and care.
A Stuxnet-Like Attack
One of the most notorious examples of an attack against OT systems is Stuxnet. Stuxnet is a computer worm discovered in 2010 that targets SCADA systems. It is believed to be responsible for—and possibly specifically engineered with the intent to—cause irreparable physical damage to nuclear facilities and the nuclear program in Iran. Stuxnet specifically targeted PLCs used to automate electromechanical processes used in gas centrifuges for separating nuclear materials. It exploited a variety of zero-day flaws to compromise the PLCs and physically destroy the rapidly-spinning centrifuges. It is commonly believed that the worm was delivered via a USB drive that made its way into the facility.
Could CDPwn and URGENT/11 be used for a similar attack? A bad actor would not need a USB, but now can leverage CDPwn to infiltrate the network, then use URGENT/11 to take over a device. One of the signature elements of Stuxnet was its ability to hide itself and the impact of the attack. An attacker could use URGENT/11 to take over vulnerable devices, without authentication or any user interaction. Having compromised the device, an attacker can cause damage while remaining hidden from the monitoring system in much the same way.
While Stuxnet used zero-day vulnerabilities, the reality is that it is unnecessary. The NSA Top 25 list of vulnerabilities consists entirely of attacks against known vulnerabilities that may not have been patched or mitigated.
The Lingering Exposure
Today, there are exploitable vulnerabilities in hundreds of millions of devices that can allow attackers to compromise or destroy OT environments that organizations cannot patch or update. But managing risk is going beyond business continuity, operations, or patient care. Gartner recently predicted that 75% of CEOs will be personally liable for cyber-physical incidents by 2024—making this a huge, high-profile issue that companies need to address.
Much of the technology that makes up the foundation of our healthcare delivery, critical infrastructure, and manufacturing capabilities is at risk and simply cannot be patched or updated. To adequately protect your network and mitigate the risk of cyber attacks, you need to have tools in place capable of providing complete visibility of the unprotected assets on your network, behavioral analysis of the activity of those devices, and a capability to remediate issues or isolate compromised devices.
Most of the IT, IoMT, OT, and IoT devices lack any means of installing cybersecurity software or agents, which means you need to have agentless protection capable of discovering every device in the environment and detecting vulnerable code on devices. You should also be able to map connections from devices throughout your network and detect anomalies in behavior that indicate suspicious or malicious behavior or communications so you can take the appropriate action.