U.S. Department of Homeland Security and U.S. Food and Drug Administration published warningAccording to which, the vulnerabilities Urgent / 11, information about which was released this summer, pose a threat not only for the real-time operating system (RTOS) VxWorks, developed by Wind River ..
Information about Urgent / 11 issues last summer was revealed by Armis analysts. The vulnerabilities they discovered concern the operation of the TCP / IP stack (IPnet), which is used by VxWorks to connect to the Internet and other devices on local networks. Interestingly, the IPnet stack was acquired by Wind River along with the acquisition of Interpeak in 2006, meaning it is not exclusive to VxWorks, and was previously licensed and used by other RTOS providers.
Vulnerabilities in Urgent / 11 allow malicious code to run on a wide range of devices, from routers to firewalls, from printers to industrial equipment.
But, as it turned out now, VxWorks alone was not limited to this. Testing conducted in the summer revealed that vulnerabilities also pose a threat to devices with other RTOS, for example, OSE from ENEA, INTEGRITY from Green Hills, Microsoft ThreadX, ITRON from TRON Forum, Mentor Nucleus RTOS, and ZebOS.
Armis Specialists Already released tool, which scans networks for devices that contain an IPnet network stack and are vulnerable to Urgent / 11.
The U.S. Department of Homeland Security and the U.S. Food and Drug Administration are urging companies and healthcare providers to check their devices and make sure you're not running any of the vulnerable operating systems. So far, the only medical devices deemed vulnerable to Urgent / 11 are the BD Alaris infusion pump, as well as the Xprezzon patient condition monitor.
After initially disclosing details of Urgent / 11 issues, many manufacturers published security recommendations for working with vulnerable equipment, as well as bug fixes. The following is a list of safety recommendations from various companies:
In addition, developers of a number of operating systems recently recognized as vulnerable to Urgent / 11 have published their own statements through the US Department of Homeland Security.
ENEA, an OSE maker, encouraged users to upgrade to a newer version of OSE or contact WindRiver (now the owner of the Interpeak license) to resolve issues.
Green Hills Software, maker of INTEGRITY, also targeted affected users to Wind River.
Microsoft said it never supported IPnet in ThreadX, but some manufacturers could use ThreadX and custom IPnet in their hardware, and as a result, some devices that work with ThreadX may still be vulnerable.
The TRON Forum states that it publishes only the specification for RTOS ITRON, and equipment manufacturers are free to use this specification at their discretion, including using IPnet as a network stack, although it is not recommended in the specification. TRON Forum reports that it will send alerts to its users through its newsletter to notify developers of detected vulnerabilities.