It has been reported that thousands of organisations remain at risk from the URGENT/11 and CDPwn collections of vulnerabilities, which affect operational technology (OT) gear and internet of things (IoT), respectively. Unfortunately, there has been a rampant lack of patching, researchers said. According to researchers at Armis, a whopping 97% of the OT devices impacted by URGENT/11 have not been patched, despite fixes being delivered in 2019.
URGENT/11 is a collection of 11 different bugs that can affect any connected device leveraging Wind River’s VxWorks that includes an IPnet stack (CVEs from Wind River available here). VxWorks is a real-time operating system (RTOS) that third-party hardware manufacturers have embedded in more than 2 billion devices across industrial, medical and enterprise environments.
Affected devices, including programmable logic controllers from Schneider Electric and Rockwell Automation, are typically used in production and manufacturing environments to carry out various mission-critical tasks, such as monitoring and control of physical devices that operate various instruments (e.g motors, valves, pumps, etc.).
URGENT/11 impacts devices using six additional Real Time Operating Systems (RTOS) that supported IPnet TCP/IP stack, including OSE by ENEA, Integrity by Green Hills, ThreadX by Microsoft, Nucleus RTOS by Mentor, ITRON by TRON Forum, and ZebOS by IP Infusion. This new discovery expands the reach of URGENT/11 to potentially millions of additional medical, industrial and enterprise devices.
Commenting on this, Michael Fabian, Principal Security Consultant at the Synopsys Software Integrity Group, said "There’s a lot more that goes into making changes to infrastructure systems than simply scheduling updates and reboots. While URGENT/11 patches were delivered in 2019, we’re seeing a cascading effort from both vendors as well as end-users that have yet to certify and adapt, change manage, and risk assess their systems. And it should be noted that these changes don’t happen overnight – or even over weeks.
"It gets more complicated when you go from industry to industry, or from system to system. Vendors need to ensure their gear runs with updated real time operating systems (RTOS), and a great deal of failure and condition testing goes into that – including technical debt/feasibility estimates, among the many other aspects that must be considered from the engineering organisation. Once that’s complete, and the various widgets have been updated, you now need to update each application of that widget in its requisite system.
"Integrators and system vendors come into play at this point. They must consider how the individual deployment of these widgets work with the applied changes, and how to roll that scheduled update out to end-users. As you can see, at the end of the day it’s a lot more complex than simply pushing out an update. It takes time and money – who pays for the patch is another area that must be contemplated between the device vendor, integrator and end-user."
Read the article online at: https://www.worldpipelines.com/equipment-and-safety/17122020/comment-millions-of-unpatched-iot-ot-devices-threaten-critical-infrastructure/