News

Urgent/11 IoT Zero-Day Security Flaw Poses Threat

• By Michael Desmond
• July 31, 2019

Security around Internet of Things (IoT) devices has been a growing area of concern for years. Now several major code vulnerabilities detected in the network stack of up to 200 million IoT devices pose an urgent threat, enabling attackers to remotely execute code and take over or shut down devices in the field.

The zero-day code flaw, collectively known as Urgent/11, spans 11 vulnerabilities identified by IoT security firm Armis, which published its findings on July 29. Armis rates six of the 11 vulnerabilities as critical, as they allow for remote code execution. Also of concern: The flaws are in the Wind River VxWorks TCP/IP networking stack, which makes affected IoT devices vulnerable to hijacking by receipt of a malformed network packet.

"Urgent/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected," said Yevgeny Dibrov, CEO and co-founder of Armis. "The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people's lives at risk."

Devices affected by the flaw all run versions of the Wind River VxWorks real-time operating system (RTOS), which is the most widely-deployed RTOS in the world. In all, more than 2 billion devices run VxWorks software, while about 200 million of those are thought to be at risk. Armis says it has been working with Wind River over the last month to notify affected customers and issue patches. Both companies say that there is no evidence to date that the URGENT/11 vulnerabilities have been exploited.

Jack Marsal, senior director of product marketing at Armis, described Urgent/11 in a blog post as "unusual from a risk mitigation point of view" for two reasons. First, many of the IoT devices are used in critical industrial, manufacturing and healthcare processes, where it's difficult to scan them with a traditional network vulnerability scanner. Doing so might crash or knock devices offline. And second, he writes, "All of the potential attacks against Urgent/11 would be 'fileless' attacks, so they can't be detected or blocked by most kinds of network security products (e.g. network sandbox, web filters, firewalls)."

Arlen Baker is chief security architect at Wind River. In a blog post he urged organizations to immediately patch impacted devices. He went on to further clarify the scope of the vulnerability, noting that the latest release of VxWorks is not affected by Urgent/11. Likewise, Wind River "safety-critical products" such as VxWorks 653 and VxWorks Cert Edition are likely unaffected by the flaw.

"Those impacted make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organizational networks that are non-critical and internet-facing such as modems, routers, and printers, as well as some industrial and medical devices," Baker writes. "The 200 million number cited by Armis is not confirmed, nor do we believe it to be that high."

Dr. James McCaffrey, a research engineer at Microsoft Research focusing on machine learning and AI, calls Urgent/11 "one of the scariest things I've heard of in many years." He expects devices running VxWorks to be targeted by ransomware attacks or, worse, by foreign cyber warfare teams that could potentially do "catastrophic damage."

"Any company or entity that doesn't patch their VxWorks system immediately is in danger that really can't be overstated," McCaffrey warns.