Information and operational network administrators aren’t doing a good job of patching their internet-connected devices against two vulnerabilites it discovered, according to a new vendor survey.
In a blog published Tuesday, California-based Armis Inc., which makes a network visibility tool, says its research suggests huge numbers of devices affected by the Urgent/11 and CDPwn vulnerabilities still haven’t been patched, although security updates were issued months ago.
CDPwn is a vulnerability in the Cisco Discovery Protocol implementation for Cisco Systems’ IOS XR Software used in carrier-grade routers. By exploiting the CDPwn vulnerabilities attackers could eavesdrop on voice and video data/calls and video feeds, break network segmentation, set up man-in-the-middle attacks, or exfiltrate critical information, says Armis.
Cisco issued a patch in February. However, Armis says its internet scans suggest 80 per cent of Cisco devices affected by CDPwn remain unpatched.
“CDPwn vulnerabilities impact tens of millions of enterprise devices including switches, routers, VoIP phones, and IP cameras,” Ben Seri vice-president of Research at Armis, says in the blog.
Urgent/11 is a group of vulnerabilities affecting operating systems in devices including WindRiver’s VxWorks RTOS (Real Time Operating System), and OS’s that support the IPnet TCP/IP stack including ENEA’s OSE, Green Hills INTEGRITY, Microsoft’s ThreadX, Mentor’s Nucleus RTOS, and ITRON by TRON Forum. The IPnet TCP/IP stack was also implemented in ZebOS, a routing framework by IP Infusion used on top of OSs by networking companies as the basis for their networking products such as routers and switches.
Armis says the Urgent/11 vulnerabilities affect enterprise devices, medical devices, as well as operation technology (OT), industrial control systems (ICS), and programmable logic controllers (PLC). Affected devices are typically used in production and manufacturing environments to carry out various mission-critical tasks, such as monitoring and control of physical devices that operate various instruments (for example, motors, valves and pumps).
Although patches have been available for over a year Armis says it scans suggest 97 per cent of the OT devices impacted by URGENT/11 have not been patched.
“Using one of the critical RCE (remote-code-execution) vulnerabilities from Urgent/11, we were able to exploit two of the most common PLCs — the Control Logix Ethernet module 1756-EN2TR from Rockwell Automation, and the Modicon M580 from Schneider Electric,” Armis says. “In the case of the Rockwell Automation PLC, we were able to take control of the Ethernet module that manages communication between the PLC and the engineering workstation and gain unconstrained access over the PLC.
“In the case of the Schneider Electric PLC, the Ethernet module is built-in within the Modicon PLC, thus by taking over it we had also gained ring-0 access to the entire PLC. The developed exploit does not require any type of authentication, or user-interaction. With this level of access, an attacker can alter code on the PLC and change incoming or outgoing messages—sending false or misleading data to the engineering workstation.”
These two vulnerabilities could be combined by an attacker, the blog argues. CDPwn could be leveraged to infiltrate a network, then Urgent/11 could be used to take over a device.