Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure

unpatched urgent/11 cdpwn

Industrial, factory and medical gear remain largely unpatched when it comes to the URGENT/11 and CDPwn groups of vulnerabilities.

Thousands of organizations remain at risk from the URGENT/11 and CDPwn collections of vulnerabilities, which affect operational technology (OT) gear and internet of things (IoT), respectively. Unfortunately, there has been a rampant lack of patching, researchers said.

According to researchers at Armis, a whopping 97 percent of the OT devices impacted by URGENT/11 have not been patched, despite fixes being delivered in 2019. And, 80 percent of those devices affected by CDPwn remain unpatched.

URGENT/11 is a collection of 11 different bugs that can affect any connected device leveraging Wind River’s VxWorks that includes an IPnet stack (CVEs from Wind River available here). VxWorks is a real-time operating system (RTOS) that third-party hardware manufacturers have embedded in more than 2 billion devices across industrial, medical and enterprise environments.

Threatpost Webinar Promo Bug Bounty

Click to register.

Affected devices, including programmable logic controllers from Schneider Electric and Rockwell Automation, are typically used in production and manufacturing environments to carry out various mission-critical tasks, such as monitoring and control of physical devices that operate various instruments (e.g motors, valves, pumps, etc.).

Most concerningly, URGENT/11 includes six remote code-execution (RCE) vulnerabilities that could give an attacker full control over a targeted device, via unauthenticated network packets.

“URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected,” said Yevgeny Dibrov, CEO and co-founder of Armis, when the bugs were discovered. “The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk.”

CDPwn encompasses five critical vulnerabilities discovered in February in the Cisco Discovery Protocol (CDP), the info-sharing layer that maps all Cisco equipment on a network. The bugs can allow attackers with an existing foothold in the network to break through network-segmentation efforts and remotely take over millions of devices.

CDP is a Cisco proprietary Layer 2 network protocol that is used to discover information about locally attached Cisco equipment. CDP aids in mapping the presence of other Cisco products in the network and is implemented in virtually all Cisco products – including switches, routers, IP phones and IP cameras. Many of these devices cannot work properly without CDP, and do not offer the ability to turn it off, according to Armis.

The lack of patching lays open critical environments to takeover, according to Ben Seri, vice president of research at Armis.

“These devices are not simply used in everyday businesses but are core to our healthcare, manufacturing and energy industries,” he said, in a recent blog post.

The news comes as attackers continue to exploit the bugs. For instance, in October, the NSA identified one of the CDPwn flaws (CVE-2020-3118) as No. 24 on the list of the Top 25 vulnerabilities that are currently being consistently scanned, targeted and exploited by Chinese state-sponsored hacking groups.

Some of the URGENT/11-affected manufacturers did not provide updates, Seri noted, but even for those that did, it is a labor-intensive program to update impacted devices because they tend to be mission-critical and taking them offline to patch is often not an option. Cisco meanwhile did provide patches for CDPwn at the time of disclosure.

Seri note the increasingly common scenario where combining the CDPwn and URGENT/11 vulnerabilities represents a very serious risk to these environments—giving attackers the opportunity to take over Cisco network equipment, move laterally across the network, and gain access to mission-critical devices like infusion pumps and PLCs.

“An attacker can infiltrate a network, lie in wait, and conduct reconnaissance undetected, then execute an attack that could cause significant financial or property damage, impact production or operations, or impact patient delivery and care,” he warned.

To protect themselves, organizations should patch wherever possible, but should also strive for complete visibility of their device footprint, behavioral analysis of the activity of those devices, and a capability to remediate issues or isolate compromised devices, Seri said.

“Most of the IT, internet of medical things (IoMT), OT and IoT devices lack any means of installing cybersecurity software or agents, which means you need to have agentless protection capable of discovering every device in the environment and detecting vulnerable code on devices,” Seri added. “You should also be able to map connections from devices throughout your network and detect anomalies in behavior that indicate suspicious or malicious behavior or communications so you can take the appropriate action.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Allie Mellen, a security strategist in the Office of the CSO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.


Suggested articles