URGENT/11 is a set of vulnerabilities that affects operational technology (OT) devices and CDPwn of Cisco devices, which was reported by the IoT security firm – Armis. Despite fixes being delivered in 2019, Armis researchers observed that 97% of the OT devices impacted by URGENT/11 and 80% of devices affected by CDPwn were vulnerable/unpatched.
Ben Seri of Armis says that they’ve researched on Rockwell and Schneider PLCs and for CDPwn, looked at Cisco Nexus Switches and Cisco VoIPs (78xx series and 88xx series). VxWorks managed by Wind River had 11 zero-day vulnerabilities disclosed in this research. VxWorks is an operating system used in medical, industrial as well as enterprise devices.
URGENT/11 could be dangerous as it allows nefarious attackers to take full control of devices without any user interaction. It also has the capability of bypassing perimeter security such as firewalls and NAT solutions. Again, due to ‘wormable’ behavior, it has the potential to propagate malware resembling to WannaCry or EternalBlue.
Armis research team have demonstrated exploiting PLCs of Rockwell PLC , Schneider Electric PLC as well as URGENT/11 DoS attack on PLCs.
Out of the CVEs listed below, 6 of them result in RCE and 5 of them could lead to DoS and informational leak, together forming URGENT/11.
| CVE | Vulnerability Name | QID |
| CVE-2019-12256 | Stack overflow in the parsing of IPv4 options | 13534 |
| CVE-2019-12257 | Heap overflow in DHCP Offer/ACK parsing in ipdhcpc | |
| CVE-2019-12258 | TCP connection DoS via malformed TCP options | |
| CVE-2019-12262 | Handling of unsolicited Reverse ARP replies (Logical Flaw) | |
| CVE-2019-12264 | Logical flaw in IPv4 assignment by the ipdhcpc DHCP client | |
| CVE-2019-12259 | DoS via NULL dereference in IGMP parsing | |
| CVE-2019-12265 | IGMP Information leak via IGMPv3 specific membership report | |
| CVE-2019-12255,CVE-2019-12260, CVE-2019-12261, CVE-2019-12263 | Four memory corruption vulnerabilities stemming from erroneous handling of TCP’s Urgent Pointer field |
Affected Versions
VxWorks version 6.5 and later.
The list of devices that use VxWorks OS includes SCADA devices, Industrial controllers, Patient monitors, MRI machines, Firewalls, VOIP phones as well as Printers.
Solution
Wind River has created and fully tested patches for the security vulnerabilities that were discovered in the TCP/IP stack (IPnet) – a component of certain versions of VxWorks.
Qualys Detection
Qualys customers can scan their network with QID 13534 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References and Sources
https://www.armis.com/urgent11/
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/