As of December 15th 2020, thousands of organizations remain at risk from the Urgent/11 and CDPWN, which affects critical infrastructure due to lack of patching. Armis states that 97 percent of OT (Operational Technology) and IoT (Internet of Things) devices are impacted by Urgent/11. These vulnerabilities have been present for decades, in some cases, while industrial factory and medical equipment hold the greatest risk due to not being patched.
Urgent/11 affects any connected device leveraging Wind River’s VxWorks that includes an IPnet stack. It consist of 11 different vulnerabilities that could result in the compromise of these devices. VxWorks is a real time operating system that third party vendors and manufacturers have installed in over 2 billion devices across all industries and enterprise environments. Devices that have been compromised due to these vulnerabilities including programmable logic controllers from Schneider Electric and Rockwell Automation which is used in production and manufacturing environments to carry out various mission-critical tasks, such as monitoring and control of physical devices that operate various instruments (e.g motors, valves, pumps, etc.). This advisory also includes six remote code- execution (RCE) s vulnerabilities that could give an attacker full control over a targeted device, via unauthenticated network packets.
CDPwn which is a group of five vulnerabilities affecting Cisco equipment ranging from network infrastructure such as switches and routers to enterprise-grade endpoint devices such as IP phones and security cameras. Four of the vulnerabilities enable RCE and the fifth is a Denial of Service vulnerability which can have detrimental impact on the operation of the network. CDP is a layer 2 protocol that is used to discover information about locally attached Cisco equipment, and is implemented in virtually all Cisco products. The following list includes four of the exploitations that are caused by these vulnerabilities:
· Breaking of network segmentation
· Data exfiltration of corporate network traffic traversing through an organization's switches and routers
· Gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch
· Data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras
Millions of IoT and OT devices do not have dedicated mechanisms to manage vulnerabilities. This limits the installation of cyber security software, or agents to manage devices. That means agentless protection is needed to help remedy these vulnerabilities. Consistent management of these devices throughout a network should be to find anomalies indicating a possibility of suspicious or malicious behaviors. Organizations should continue to take precautions with their systems to improve visibility and isolate compromised devices.
As noted by Cisco, the “vulnerabilities are similar to the Urgent/11 vulnerabilities published in 2019 and impacting the TCP/IP stack developed by Interpeak. Like Urgent/11 the Ripple20 vulnerabilities allow attackers to trigger remote code execution and denial of service”.
The E-ISAC is providing this information for member awareness. If you have any questions or comments, please reach out to us at firstname.lastname@example.org or at 202-790-6000. Members and partners are encouraged to share information via the E-ISAC Watch at email@example.com, posting appropriate information on the E-ISAC Portal, or calling 202-790-6000 (24/7).
- Canadian CERTs
- CRISP - Cyber Risk Info Sharing Program
- DHS - NICC, NCCIC, US-CERT, etc
- DOE Complex
- E-ISAC AOO Members
- E-ISAC Staff
- FBI, LE Fusion
- FERC - OEIS, etc
- International (other ISACs, CERTs)
- Other (inc. local/state commissions)
- Trade Organizations
- Watch Floor
- Admin, 01/16/2021
- Atonial Hyatt, 12/24/2020