The Industry Cyber Threat Response Center (ICS-CERT) and the US Government Sanitary Inspection Authority (FDA) warned users that there are many more products affected by URGENT/11 vulnerabilities than previously reported. The URGENT/11 problem turned out to be wider than anticipated.
As it turned out, the multiple flaws of the IPnet stack are relevant for Microsoft, Green Hills, ENEA, and other specialized solution providers.As information security experts found out, a component containing vulnerabilities uses not only VxWorks, but also a number of other embedded real-time operating systems.
“Security researchers initially believed Urgent/11 only impacted devices using VxWorks, a real-time operating system (RTOS) created by Wind River. The actual issue was tracked down to IPnet, a TCP/IP networking library that was part of VxWorks. However, additional testing over the summer confirmed that devices running real-time operating systems were also impacted”, — reported in ICS-CERT.
As Wind River, the current creator of VxWorks, took over the original creators of the utility in 2006, Interpeak no longer updates the old IPnet code embedded in third-party products.
Users of the following programs are at risk:
- Microsoft ThreadX
- ZebOS Powered by IP Infusion
- ENEA Operating System Embedded (OSE)
- INTEGRITY by Green Hills
- ITRON company TRON Forum
All these developments are designed to control industrial devices, mainly for medical purposes.
Reference:
The vulnerabilities of URGENT/11 became known in July this year. Among the identified flaws in the TCP / IP stack, the most dangerous is the RCE-bug CVE-2019-12256, which allows remote code execution by an unauthorized user. The problem that received 9.8 points on the CVSS scale is due to an error in processing the headers of incoming requests.
Some solutions:
Microsoft noted that the vulnerable component is not part of ThreadX, however, some hardware manufacturers could use it in their assemblies.
Representatives of TRON Forum, in turn, said that they were only releasing specifications for their OS, and the contents of specific modules were determined by third-party developers. According to them, IPnet is not among the recommended ITRON subsystems.
Representatives of ENEA and Green Hills recommended their customers to upgrade the software to a new version that does not contain a problem module. If this update is not possible, users should contact Wind River, which now holds an IPnet license, for instructions.