By Ben Seri, VP of Research
Following the discovery of the URGENT/11 vulnerabilities in the VxWorks RTOS (Real Time Operating System), Armis began to identify vulnerable devices in the networks of its customers, and protect them against potential exploitation attempts. By searching for vulnerable devices on real networks, Armis revealed that the impact of the URGENT/11 vulnerabilities is much wider than first believed. Aside from most VxWorks versions from the past 13 years, URGENT/11 affects additional RTOSs that have supported the IPnet TCP/IP stack in the past, including ENEA’s OSE, Green Hills INTEGRITY, Microsoft’s ThreadX, Mentor’s Nucleus RTOS, and ITRON by TRON Forum. The IPnet TCP/IP stack was also implemented in ZebOS, a routing framework by IP Infusion used on top of OSs by networking companies as the basis for their networking products such as routers and switches.
The IPnet TCP/IP stack was developed by Interpeak, and sold as a 3rd party library to customers of various OSs, until it was acquired in 2006 by Wind River, the company developing VxWorks. Since the acquisition of Interpeak, IPnet had gradually stopped being integrated and supported by RTOSs aside of VxWorks. Despite this, some devices continue using IPnet even today. The primary users of RTOSs are critical devices such as medical devices, which can have exceptionally long life-cycles, making them especially prone to vulnerabilities in legacy 3rd party code. An example of such a device is the widely used Becton Dickinson’s (BD) prominent Alaris infusion pump. The Alaris infusion pump runs on ENEA’s OSE with the IPnet TCP/IP stack, and is therefore affected by URGENT/11.
Prior to being acquired by Wind River, Interpeak sold the IPnet stack to various device manufacturers, either directly, or through resellers. The stack was usually sold in a perpetual license, as a one-time chunk of code, receiving little or no updates after the initial handover. In cases in which the stack was sold with a perpetual license by resellers, not all of its users or uses can be traced. This combination of embedded, and at times, untraceable code which receives no updates creates a time bomb for any bug discovered in the original code throughout the years, including the URGENT/11 vulnerabilities. This is not only a major problem for the manufacturers of such devices, but also for organizations using them, which have no real visibility of the potential threats lurking on their networks in their devices. This situation illustrates the complexity in addressing such a vulnerability.
Following our original publication of the URGENT/11 vulnerabilities, various companies issued over 30 security advisories detailing prominent devices impacted, including leading global medical technology companies like GE Healthcare, Philips, Drager, and now BD. The updated list of advisories can be found here. Today, Spacelabs also provided an advisory on its Xprezzon patient monitor, which is impacted by URGENT/11 via use of IPnet in VxWorks v6.6, which was released 12 years ago, and is an example of the long life cycles of medical devices and the operating systems they depend on.
Armis researchers were able to successfully exploit URGENT/11, and reach remote code execution over the Xprezzon patient monitor. In the following video they demonstrate how this exploit can allow an attacker to alter vital readings, create false alarms, and essentially gain full control over all information displayed on the monitor.
A New Tool To Identify URGENT/11 Vulnerable devices
Armis also released today an URGENT/11 Detector, a free, downloadable tool, designed to detect devices vulnerable to URGENT/11 regardless of the RTOS the device uses. We strongly encourage organizations to use the open sourced tool to detect vulnerable devices in their networks and update them promptly.
The URGENT/11 Detector is an active tool that uses various non-invasive fingerprint techniques to determine if a device is using the IPnet TCP/IP stack, and whether it is vulnerable to URGENT/11. This tool implements four unique methods of detection in the form of a TCP/IP stack fingerprints to a target host. It calculates the combined score of all the methods and determines whether the target host runs an OS that relies on the IPnet TCP/IP stack and whether the OS is VxWorks or not.
It will also test the host for one of the URGENT/11 vulnerabilities (CVE-2019-12258), which affects all versions of VxWorks that implement IPnet, and so it can determine whether a VxWorks-based device that uses IPnet has been patched against URGENT/11 or not.
Recap - What Is URGENT/11?
URGENT/11 is a group of 11 zero day vulnerabilities discovered by Armis researchers in the IPnet TCP/IP stack implemented by various RTOSs, and primarily by VxWorks, a widespread RTOS used by over 2 billion devices including critical devices, such as industrial, medical and enterprise. The vulnerabilities impact IPnet versions from the last 16 years, and thus affect a wide range of devices. URGENT/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions. These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks. Such an attack has a severe potential, resembling that of the EternalBlue vulnerability, used to spread the WannaCry malware.
Armis Detects New Vulnerable Critical Devices
Once Armis published the URGENT/11 vulnerabilities, it began identifying vulnerable devices on the networks of its customers, to protect them against potential exploitation attempts. The Armis’ platform passively inspects the traffic on its customers’ networks to identify all layers of software running on each device, that may contain vulnerabilities which expose devices to attacks, and can compromise the entire network. In one such instance, an alert popped up in a hospital network protected by the Armis platform, alerting the system managers of affected devices within it. These devices were Becton Dickinson (BD) Alaris™ PC Units (infusion pumps), a prominent device in use by hospitals which operates on ENEA’s OSE and were identified by Armis as was using the impacted IPnet stack.
The hospital then sent an inquiry to BD, to determine if in fact this device is impacted, and if so whether a patch for this device is available. Initially, BD responded that they do not believe the device was in fact affected by the vulnerabilities, as it does not run VxWorks, which is the primary implementer of the IPnet stack since 2006.
Luckily, we had a chance to verify whether the device is in fact vulnerable at this years DefCon’s Medical Device Village, which took place a few days after the original URGENT/11 announcement. The Medical Device Village is a welcomed initiative which connects device manufacturers and the security community to try and detect security flaws and vulnerabilities in medical devices in order to improve their security. In the village, a hospital like environment was set up, and representatives from ten large medical device manufacturers, including Philips Health, Medtronic, Abbott, and BD brought their expertise and medical devices to be evaluated, and potentially hacked by conference attendees, such as ourselves.
Within about a half hour, with the kind help of BD’s product security representatives, we managed to launch an exploit of one of the URGENT/11 vulnerabilities on the BD Alaris infusion pump, which caused it to crash. Specifically, the network stack crashed displaying an error message, and the infusion pump sounded a loud beeping sound, with the User-Interface becoming unresponsive. Our experiment proved that this device, among others that do not run VxWorks but have implemented the IPnet TCP/IP stack, can still be affected by the URGENT/11 vulnerabilities. Once the effect of the vulnerability was proven, Armis and BD began working together to determine the full scope of the vulnerabilities, to be able to develop a patch against the vulnerabilities and mitigate their risk.
Day 1: Hospital Under Siege. Ready? pic.twitter.com/HcXfH5RkWA
— Biohacking Village @ DEF CON (@DC_BHV) August 9, 2019
URGENT/11 Affects non-Vxworks Operating Systems
The main takeaway from the BD Alaris discovery is that the URGENT/11 vulnerabilities have a much wider impact than first believed. While the possibility of operating systems other than VxWorks being affected was considered and even mentioned in our original publication, the BD Alaris infusion pump provided us with concrete confirmation. Since the URGENT/11 vulnerabilities reside in IPnet, VxWorks' TCP/IP stack, they also affect certain versions of other OSs which integrated it before it was bought by WindRiver in 2006 and became an exclusive stack of VxWorks.
Of the 11 vulnerabilities comprising URGENT/11, we have confirmed that three have existed in IPnet prior to its acquisition, with one of them being a critical remote-code-execution vulnerability. These are the versions of the IPnet components in which the vulnerabilities were first introduced:
- TCP Urgent Pointer Zero RCE vulnerability (CVE-2019-12255) -- IPTCP r6_0_0 and later
- Reverse ARP logical flaw (CVE-2019-12262) -- IPNET2 r2_8_0 and later
- DHCP client (ipdhcpc) IPv4 assignment logical flaw (CVE-2019-12264) -- IPAPPL r1_2_0 and later.
Two additional vulnerabilities were introduced in the first version of IPnet that was included in VxWorks (v6.5), and were likely ported to OSE's copy of IPnet at the time:
- TCP connection DoS via malformed TCP options (CVE-2019-12258)
- DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
So far, we have identified six additional Real Time Operating Systems which implemented the vulnerable code: OSE created by ENEA, INTEGRITY created by Green Hills, Microsoft’s ThreadX, ITRON by TRON Forum, Mentor’s Nucleus RTOS, and ZebOS, a routing platform which provides TCP/IP services for OSs. Devices using versions of these operating systems may contain the IPnet stack, and thus be vulnerable to URGENT/11. While it may seem as if such devices might already be out of use, there are many still around. Much of the devices that use RTOSs are critical devices, which go under a much longer period of development and approvals than consumer devices, and have significantly longer life cycles once in use. So far, we were able to verify that the following devices, which run on the RTOSs mentioned above with the impacted IPnet stack, are vulnerable to URGENT/11, but we believe many more exist, perhaps even using additional OSs:
- Alaris Infusion Pump -- Runs on OSE
- HP Proliant LO100 management engine -- Runs on Nucleus
- Canon MF4270 Printer -- Runs on ThreadX
- ArrowSpan MeshAP 1100 -- Runs on INTEGRITY
- Planex SPX-2420GL Router -- Runs on ZebOS
With today's announcement, the following organizations have posted advisories and safety communications on the expanded exposures:
Legacy Systems Have No Update Mechanisms for Vulnerable Code
The lack of a proper update mechanism is a product of its time. Today, the tech industry has advanced greatly in terms of security and accountability for fixing vulnerable devices. However, many of the critical devices which were manufactured without such a mechanism are still in use, due to their long life cycles. While updating and upgrading critical devices is always a demanding task, without an update mechanism it verges on the impossible. Vulnerabilities such as URGENT/11 threaten to allow attackers to take full control over such sensitive devices, while their manufacturers are challenged to help.
Addressing the CISO Dilemma - Device Visibility
Once devices reach an organization’s network, the CISOs responsible for their security have no capability of knowing exactly which code parts they are using. They rely on the manufacturers for updates about flaws and patches to fix them. Hence, in a case such as the BD Alaris infusion pump, if the manufacturer is not aware that his device is vulnerable - the CISO has no way to know either.
As a first step, we encourage organizations to use the free URGENT/11 tool to detect and treat vulnerable devices, regardless of the RTOS they are running on. To adequately protect their networks over time, CISOs must implement security measures capable of detecting the usage of vulnerable code by their devices, and not rely on the supplier alone. The Armis agentless device security platform is able to discover all devices in an enterprise environment that are vulnerable to any of the URGENT/11 vulnerabilities. In addition, the Armis platform tracks device behavior and their connections to your network and within it, and detects anomalies in TCP/IP that indicate URGENT/11 vulnerabilities. For additional information, please click here.