When, in late July, Armis researchers revealed the existence of the so-called Urgent11 vulnerabilities in Wind River’s VxWorks real-time operating system, they noted that RTOS offerings by other vendors may also be vulnerable.
As it turns out, they were right – they are also present is some versions of these Real Time Operating Systems:
- OSE by ENEA
- INTEGRITY by Green Hills
- Nucleus RTOS by Mentor
- ITRON by TRON Forum
- ZebOS by IP Infusion.
(The researchers also said Microsoft’s ThreadX is vulnerable, though Microsoft says they never released a version of ThreadX bundled with the IPnet stack. But, the company noted, some hardware makers could have used ThreadX and a custom set IPnet in the hardware.)
The source of the vulnerabilities
The source of the vulnerabilities (CVE-2019-12255 to CVE-2019-12262) is IPnet, an TCP/IP stack used by these various operating systems.
The IPnet TCP/IP stack was created by Swedish software firm Interpeak, which was acquired by Wind River in 2006, and that’s how the stack ended up in its VxWorks RTOS.
But before the acquisition, Interpeak had already licensed the IPnet stack to a variety of customers, and this is how it ended up in those other RTOS.
The discovery of the same vulnerabilities in other RTOS has been triggered by a hospital that uses the Armis security platform: they found that the BD Alaris PC Unit infusion pumps they were using had them, despite not running Wind River’s VxWorks RTOS.
“While we considered the possibility of operating systems other than VxWorks being affected, which we referenced in our original disclosure, the BD Alaris pump provided confirmation of the complexity and broader reach of these vulnerabilities,” said Ben Seri, vice president of research & head of Armis Labs.
The discovery of the vulnerabilities in other RTOS have widened the initial estimated impact to millions of additional medical, industrial and enterprise devices, the company noted.
Not all versions of all the mentioned RTOS sport the Urgent11 vulnerabilities. The various RTOS providers should provide or have already provided specifics, patches and mitigations (Wind River has).
The list of affected devices is sizeable and diverse (SCADA devices, patient monitors, firewalls, printers, etc.).
It includes devices by Avaya, Schneider Electric, Siemens, Sonicwall, Xerox, ABB, Dräger, GE Healthcare, Honeywell, Alcatel-Lucent, and others. Armis has linked to these manufacturers’ security advisories in their blog post.
The US DHS (1, 2) and the Food and Drug Administration have released advisories that offer more details about affected RTOS, available mitigations and patches, and advice for manufacturers, health care providers and health care facility staff (including IT staff).
Armis has provided an Urgent11 signature and Snort rules to be freely used by Firewall and IDS solutions to detect and help prevent any attempt to exploit these vulnerabilities.
They’ve also released a free detection tool that can identify devices using the IPnet stack (whether VxWorks-based or otherwise), as the chances of more RTOS and devices being vulnerable are considerable.