A few months after uncovering 11 critical remotely exploitable vulnerabilities in a software library widely used in medical devices, firewalls, SCADA devices, and industrial controllers, researchers have found that those bugs affect a much broader range of products than originally thought, including a line of infusion pumps and some enterprise hardware and software systems.
The vulnerabilities are known collectively as Urgent/11 and the research team that discovered them originally thought that they only affected a real time operating system called VxWorks. That OS, developed by Wind River Systems, is used in a number of medical devices and it includes a TCP/IP stack called IPnet that was originally developed by a company called Interpeak, which sold it to Wind River in 2006. Before that sale, however, Interpeak sold IPnet as a library to a variety of customers that integrated it into their own products. Researchers at security firm Armis discovered several months ago that IPnet had a series of vulnerabilities that allowed attackers remote access to target devices with very little effort.
“URGENT/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions. These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks,” Ben Seri, vice president of research at Armis, said in a post about the expanded reach of the flaws.
The vulnerabilities include a stack overflow, four memory corruption flaws, and a heap overflow, among others. Attacks against vulnerable devices could take a number of forms, including direct external attacks against firewalls and other devices with external network connections, or internal attacks that broadcast malicious packets across the network to take over any vulnerable devices. The long tail of these vulnerabilities, which have surfaced many years after the release of the vulnerable version of the IPnet stack, highlights the difficulty of securing special-purpose devices, especially those that run software that is not highly scrutinized. Often, these devices do not have a way to install security software or other defensive mechanisms that are de rigueur in mainstream operating systems and hardware.
“VxWorks includes some optional mitigations that could make some of the URGENT/11 vulnerabilities harder to exploit, but we have not seen these mitigations used by device manufacturers at this time. In the devices we've examined (and exploited), almost no mitigations were used: no ASLR, no stack canaries and no DEP,” the Armis advisory says.
"While it may seem as if such devices might already be out of use, there are many still around."
When the original disclosure of the Urgent/11 vulnerabilities occurred this summer, Armis said that devices from manufacturers such as GE Healthcare, Philips, and Drager. The manufacturers issued advisories but fixes are not possible for many of the devices because they don’t have any update mechanisms. After that original disclosure, an Armis customer called the company about an alert identifying a vulnerable device in its network. The device turned out to be an Alaris infusion pump made by Becton Dickinson, a major device manufacturer. But the device did not use the VxWorks operating system, which confused the researchers and the manufacturer. A couple weeks later, Armis researchers were able to test one of the BD infusion pumps during DEF CON and found that it was indeed vulnerable, thanks to the presence of the IPnet stack.
“Within about a half hour, with the kind help of BD’s product security representatives, we managed to launch an exploit of one of the URGENT/11 vulnerabilities on the BD Alaris infusion pump, which caused it to crash. Specifically, the network stack crashed displaying an error message, and the infusion pump sounded a loud beeping sound, with the User-Interface becoming unresponsive. Our experiment proved that this device, among others that do not run VxWorks but have implemented the IPnet TCP/IP stack, can still be affected by the URGENT/11 vulnerabilities,” Seri said.
It turned out that several other RTOS had implemented the IPnet stack, opening them up to the Urgent/11 vulnerabilities. The Armis researchers identified six other operating systems that implement the IPnet library and are therefore vulnerable: OSE, INTEGRITY, Microsoft ThreadX, ITRON, Mentor Nucleus, and ZebOS. Although the IPnet stack itself is quite old, there are still billions of devices in use running it in some form.
“Devices using versions of these operating systems may contain the IPnet stack, and thus be vulnerable to URGENT/11. While it may seem as if such devices might already be out of use, there are many still around. Much of the devices that use RTOSs are critical devices, which go under a much longer period of development and approvals than consumer devices, and have significantly longer life cycles once in use,” Seri said.
There isn’t a direct fix for the vulnerabilities in the IPnet stack, but many of the affected manufacturers have issued advisories with specific mitigations and compensating controls for their products. Both the Department of Homeland Security and the Food and Drug Administration have issued advisories on the newly broadened scope of the Urgent/11 vulnerabilities.