Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vast Majority of OT Devices Affected by Urgent/11 Vulnerabilities Still Unpatched

A vast majority of operational technology (OT) devices affected by the Urgent/11 vulnerabilities and many devices impacted by the CDPwn flaws remain unpatched, IoT security firm Armis reported on Tuesday.

A vast majority of operational technology (OT) devices affected by the Urgent/11 vulnerabilities and many devices impacted by the CDPwn flaws remain unpatched, IoT security firm Armis reported on Tuesday.

According to the company, 97% of industrial devices affected by the Urgent/11 vulnerabilities have not been patched. As for the CDPwn bugs, 80% of impacted devices are still vulnerable to attacks.

Armis told SecurityWeek that this is based on data from the company’s Device Knowledgebase, a crowd-sourced, cloud-based device behavior knowledgebase that tracks 280 million devices.

“To determine the vulnerable devices, we used Armis’ Device Knowledgebase to track the firmware versions installed on a subset of impacted vendors and models,” explained Ben Seri, VP of research at Armis. “For URGENT/11 and the impact on OT, we looked at a large subset of Rockwell and Schneider PLCs. For CDPwn, we looked at Cisco Nexus Switches and Cisco VoIPs (78xx series and 88xx series). Armis has very detailed data on the firmware versions that each device is running, and matching rules for CVEs. So we pulled the data on the number of devices of certain vendors and the models that are running firmwares that aren’t patched, versus those that are.”

For example, Armis found that only 2.38% of Rockwell Automation devices and less than 1% of Schneider Electric devices affected by Urgent/11 have been patched since the disclosure of the vulnerabilities in July 2019.

The 11 vulnerabilities tracked as Urgent/11 affect Wind River’s VxWorks and other real time operating systems (RTOS). The security holes are believed to affect hundreds of millions of devices — including industrial, enterprise and medical devices — and some of them can allow attackers to take control of targeted devices.

The vulnerabilities collectively tracked as CDPwn affect the Cisco Discovery Protocol (CDP) and they are believed to impact tens of millions of Cisco products, including IP phones, routers, switches and cameras. At least one of the CDPwn vulnerabilities has been exploited by Chinese state-sponsored hackers, the NSA reported a few weeks ago.

Armis has published a paper showing how attackers could bypass existing mitigations to exploit the CDPwn vulnerabilities to target IoT devices in enterprise networks. The company has determined that in industries such as retail and aviation, more than 80% of Cisco VoIP devices are vulnerable to CDPwn attacks. As for Cisco Nexus switches, the aviation and OT sectors lag behind, with more than 85% of devices unpatched.

Advertisement. Scroll to continue reading.

Cisco devices affected by CDPwn vulnerabilities

While there haven’t been any reports of the Urgent/11 vulnerabilities being exploited in malicious attacks, Armis researchers have demonstrated how attackers could leverage the flaws to take control of programmable logic controllers (PLCs) from Schneider Electric and Rockwell Automation, without authentication or user interaction.

“In the case of the Rockwell Automation PLC, we were able to take control of the Ethernet module that manages communication between the PLC and the engineering workstation and gain unconstrained access over the PLC,” Armis explained in a blog post. “In the case of the Schneider Electric PLC, the Ethernet module is built-in within the Modicon PLC, thus by taking it over we had also gained ring-0 access to the entire PLC.”

Related: Urgent/11 Flaws Impact More RTOS Used by Medical, Industrial Devices

Related: Siemens Says Power Meters Affected by Urgent/11 Vulnerabilities

Related: Chinese Hackers Target Cisco Discovery Protocol Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights