After the disclosure of BlueKeep in May and SACK Panic in June, July almost passed without a major operating system vulnerability. Following Windows and Linux, this time VxWorks operating systems are under the spotlight, with eleven vulnerabilities announced by the Cybersecurity and Infrastructure Security Agency (CISA) and collectively dubbed ‘URGENT/11’.
VxWorks operating systems are used for countless IoT and IoMT devices, from printers to MRI and ultrasound machines. These vulnerabilities thus demand the attention of stakeholders across the healthcare industry, from device manufacturers to hospital security and clinical engineering teams to our security researchers at Medigate Labs.
To make things clearer, we shall
- Clarify the essence of the URGENT/11 vulnerabilities
- Explain which devices are vulnerable, and how can they be identified
- Review the practical remediation and mitigation processes to secure the vulnerable devices and the clinical networks wherein they operate
What is URGENT/11?
All eleven vulnerabilities were found in VxWorks’ TCP/IP stack (IPnet), which governs the TCP communication of devices running VxWorks operating systems. The main reason for concern are six of the eleven that allow Remote Code Execution on affected devices, which can be triggered from afar without requiring any user interaction. Moreover, these vulnerabilities could be exploited under the pretense of ordinary network activity without raising the suspicion of perimeter security solutions.
The exploitation of the six critical vulnerabilities targets different IPnet elements, including causing a stack overflow in the parsing of IPv4 options, heap overflow in the DHCP protocol implementation, and memory flaws in the handling of TCP Urgent Pointer fields (hence the name of the vulnerability set). Full details on all vulnerabilities is available at CISA’s advisory.
These vulnerabilities can be triggered remotely by crafted IP or DHCP packets sent to the target device or a direct connection to an open TCP port that can bypass default perimeter security. They also do not require modifications between affected devices, which makes them even easier to use widely and spread within and between networks.
What devices are affected?
The specific VxWorks versions that are susceptible varies between the eleven vulnerabilities, but generally all versions above 6.5 are affected, except for specific versions designed for certification such as VxWorks Cert Edition.
VxWorks is an extremely common Real-time Operating System (ROTS), used by many types of medical devices, including patient monitors, C-arms, and MRI and ultrasound machines. Networking equipment such as routers, modems, and firewalls, as well as IoT devices such as printers and IP phones also often run on VxWorks. However, many of these devices run earlier versions of VxWorks that are not affected by the vulnerabilities.
Figuring out which devices on the clinical network must thus start with a comprehensive visibility of all connected devices down to their specific VxWorks versions. It can be tedious without an intact inventory or the right tools to extract this information from your network, but it’s essential to identify all vulnerable assets to enable prioritized remediation and mitigation processes.
Taking action to protect your IoT and IoMT devices
The most direct remedy to URGENT/11 is patching the VxWorks operating system, but this will be highly challenging for medical devices. Close collaboration is needed with the device manufacturers, and it might take time to approve the new VxWorks versions before it can be safely used.
Mitigation of the risk be also achieved through network policies that limit TCP communication with the URGENT/11 characteristics, as some of these are uncommon in any legitimate application communicating in the TCP protocol. However, such an interference with a core component of the devices’ network communication mechanism must be considered with care to avoid any adversary impact on device functionality or patient care.
It is essential to identify all vulnerable devices on the clinical network and reach out to manufacturers to initiate the patching process. We have a dedicated team of researchers that are experts in cyber security and medical devices and can answer any questions you have to support this process. And if you want to learn about how our solution quickly inventories your connected devices and alerts for all affected ones as well as potentially malicious communications, contact us and we’ll follow up to ensure your clinical network is protected.
View our Threat Report for updates on new vulnerability disclosures and suggestions on how to mitigate their risks.