Threat Advisory: URGENT/11 Zero-Day Vulnerability

July 30, 2019

News of the URGENT/11 zero-day vulnerabilities has begun to emerge.  These vulnerabilities affect the VxWorks real-time operating system created by Wind River and may allow a remote attacker to gain full control over an impacted device.  The VxWorks operating system is used by over 2 billion Internet of Things (IoT) devices globally including printers, VOIP phones, firewalls, routers, medical equipment, elevators, industrial controllers, and SCADA systems.

In total, 11 vulnerabilities have been discovered, including six critical vulnerabilities, collectively branded URGENT/11. The vulnerabilities affect VxWorks 6.5 and higher, with "any connected device leveraging VxWorks that includes the IPnet stack is affected by at least one of the discovered vulnerabilities," according to security research firm Armis. However, this does not affect versions designed for certification, including VxWorks 653 and VxWorks Cert Edition.

The URGENT/11 vulnerabilities pose a significant risk to all connected VxWorks devices as they can be used to remotely take control of a device whether it is on the network perimeter or within.  While some defenses at the operating system level exist, they are often left up to the manufacturer to implement and appear to be missing in many cases. 

Wind River Systems, the vendor of VxWorks, provided patches for the vulnerabilities within its July 19th release. Manufacturer-specific patches are expected to follow.

Recommendations

Organizations should patch impacted devices as soon as updates are available. These vulnerabilities potentially parallel the impact of the EternalBlue vulnerability from 2017 which lead to the worldwide WannaCry ransomware outbreak.  The fact that the affected systems are control or SCADA systems complicates the issue and highlights the importance of complete network isolation and patch management programs. 

Signatures for intrusion detection systems and other network monitoring solutions are being developed and released by vendors. 

Any evidence of attack should be investigated and triaged.  The Security Engineering and Incident Response teams here at Herjavec Group are actively engaged with Managed Security Services customers to validate signature deployment and triage any potential challenges. Our Security Operations Center team continues to vigilantly escalate any suspicious activity relating to this threat.

Herjavec Group's Threat Management & Incident Response team is available for further support and consultation. If you need Incident Response support or Security Expertise, please connect with us.

References

  1. https://armis.com/urgent11/
  2. https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue
  3. https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/

For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn