Phone call Mail
Now free initial consultation by mail or phone: +49 228 - 33 88 89 0
EnBITCon GmbH

URGENT/11 - New ICS threat signatures from Nozomi Networks Labs

September 13, 2019 Nozomi

The well-known VxWorks RTOS (Real-Time Operating System), which is widely used in more than 2 billion devices in critical infrastructure sectors such as healthcare, transport, aviation and other industrial operations, is affected by 11 vulnerabilities, known as URGENT/11.

The vulnerabilities were reported in the TCP/IP stack (IPnet) of VxWorks and affect all versions since version 6.5.
IoT security vendor Armis first reported and analysed the vulnerabilities and detailed them through the VxWorks incident response. They allow attackers to take over devices without user interaction.

The vulnerabilities are particularly critical because:

  • They allow attackers to take over devices without any user interaction and also bypass security devices such as firewalls and NAT solutions.
  • The vulnerabilities are "wormable", which means they can be used to spread malware to and within networks.
  • They affect devices such as SCADA, lift and industrial controls, patient monitors and MRI machines, as well as firewalls, routers, modems, VOIP phones and printers.
  • They could potentially have a greater impact because IPnet (VxWorks' TCP/IP stack) was used in other operating systems before Wind River acquired VxWorks in 2006.


They should urgently assess their network for URGENT/11 vulnerability. An attack that exploits a vulnerability could allow threat actors to take over devices without user interaction. The attack could spread very quickly and cause significant operational disruption.

Nozomi Networks customers using Guardian with OT ThreatFeed will automatically receive threat signatures. They are also notified when indicators of compromise are identified. An initial set of threat signatures has been delivered and more are in development and will be released this month.

Following the initial discovery of the URGENT/11 vulnerabilities, several weak detection signatures were published online. Most were developed to detect operational-phase prerequisites, but the results are too general for use in wide-area, heterogeneous networks. In such an environment, they might throw up too many false positives to be actionable.
To help you avoid this problem, Nozomi Networks Labs did not immediately integrate the signatures into their OT ThreadFeed (OTTF). Instead, they conducted lab testing on the vulnerable devices and quickly developed their own signatures to identify vulnerabilities that would work flawlessly in industrial environments as well as more traditional IT environments.

Nozomi Networks Labs is constantly working to effectively detect this type of attack scenario by adding new signatures to OTTF and improving its detection mechanisms.
The vulnerability database identifies vulnerable objects and supports patch management activities. Similarly, Nozomi Networks also provides accurate and powerful signatures for precise detection of real-time exploitation attempts.

</>

*1 = Armis Security, Critical vulnerabilities to remotely compromise VxWorks, the most popular RTOS

*2 = Wind River, VxWorks Vendor, Security Advisory: Wind River TCP/IP STACK (IPnet) Vulnerabilities

For more on the topic, see:

https://www.nozominetworks.com/blog/urgent-11-new-ics-threat-signatures-by-nozomi-networks-labs/

This website uses cookies to ensure the best experience possible. More information...