DHS and FDA warn about much broader impact of Urgent/11 vulnerabilities

Urgent/11 vulnerabilities impact multiple operating systems, not just VxWorks.

Urgent11

Image: Armis

The US Department of Homeland Security and the US Food and Drug Administration (FDA) have published advisories this week warning about a much broader impact of the Urgent/11 vulnerabilities, which impact more operating systems than initially thought.

The Urgent/11 security flaws were initially disclosed over the summer by cyber-security firm Armis. They allow attackers to run malicious code and take over a wide range of devices, from routers to firewalls, and from printers to industrial equipment.

Security researchers initially believed Urgent/11 only impacted devices using VxWorks, a real-time operating system (RTOS) created by Wind River.

The actual issue was tracked down to IPnet, a TCP/IP networking library that was part of VxWorks.

New operating systems discovered vulnerable

However, additional testing over the summer confirmed that devices running real-time operating systems were also impacted, such as OSE created by ENEA, INTEGRITY created by Green Hills, Microsoft's ThreadX, ITRON by TRON Forum, Mentor's Nucleus RTOS, and ZebOS, a routing platform which provides TCP/IP services for other operating systems.

Now, the DHS is urging companies to check the technical specifications of the devices they're using and see if they're running any of the affected operating systems.

To help, Armis has released a tool that scans networks for devices that contain the IPnet networking stack and are vulnerable to the Urgent/11 vulnerabilities.

In a similar advisory, the FDA is urging hospitals and other healthcare providers to do the same. The only medical devices that have been confirmed as being vulnerable to Urgent/11 is the BD Alaris infusion pump and the Xprezzon patient monitor; however, many more could also be susceptible to attacks.

Hardware and software vendors react

Since the initial Urgent/11 disclosure, many hardware manufacturers have issued security advisories for customers on how to handle vulnerable equipment, along with patches. Below is a list of Urgent/11 security advisories published by various companies: