URGENT/11 TCP/IP Stack Vulnerabilities

Vulnerabilities in the VxWorks TCP/IP Stack Are a Critical Threat to Medical and IoT Devices
Aug 1, 2019
Threat Intelligence

What Is URGENT/11?

URGENT/11 is a group of 11 zero-day vulnerabilities discovered in July 2019. It is found in the VxWorks TCP/IP stack (IPnet) and is similar to the Ripple20 and NAME:WRECK vulnerability families. Other operating systems may also be vulnerable. The vulnerable IPnet stack is used by billions of devices, many of which are critical in clinical environments. Devices affected include critical industrial, enterprise, and medical devices. 

URGENT/11 vulnerabilities are remotely executable and allow unauthorized users (threat actors) to remotely take control of devices without being detected. They can cause denial of service, enable data exfiltration, or exploit logical flaws in devices.

Why Are URGENT/11 Vulnerabilities So Threatening to Healthcare Organizations?

If a critical medical device vulnerable to URGENT/11 vulnerabilities is exploited:

  1. The device can be manipulated remotely to show false data (vital signs, heart rate, glucose level, MRI/CT images, etc.). This can lead to misdiagnoses and/or incorrect treatment plans for patients.
  2. The device can crash and disrupt clinical workflow. Obviously, if life support devices or any critical devices directly involved in patient care (IV pumps/any infusion pump, dialysis machine) crash, the result will be negative patient outcomes.
  3. ePHI can be stolen from devices that store and send it, and lead to major fines from regulators like the FDA, HRC (HIPAA), and JCAHO.

What Medical Devices Are Vulnerable?

Devices running any of the listed operating systems could be vulnerable:

  • VxWorks (by Wind River)
  • Operating System Embedded (OSE) (by ENEA)
  • INTEGRITY (by Green Hills)
  • ThreadX (by Microsoft)
  • ITRON (by TRON Forum)
  • ZebOS (by IP Infusion)

Specific devices that may be affected:

  • Alaris IV Pumps
  • iLAB™ Ultrasound Imaging System and POLARIS™ Imaging System (through directly-affected third-party SonicWall firewall)
  • FUJIFILM SonoSite M-Turbo ultrasound machine
  • Anesthesia machine
  • Draeger Ventilator - Evita Infinity V500
  • HemoCue Hematology Analyzer Hb 201 DM
  • Various GE MRI, CT, Ultrasound and surgery systems
  • Siemens MRI machines
  • Philips C-Arms
  • Dräger ventilators, incubators, and anesthesia machine
  • Kronos 4500 Time Clocks (employee time and attendance) - Although not critical to clinical operations, they can disrupt HR operations and the general workflow

What Healthcare Organizations Can Do to Mitigate the URGENT/11 Threat

The first step is determining if any of the devices on your network are affected by URGENT/11 vulnerabilities and immediately flagging critical devices. 

Next is figuring out how to mitigate the risk of the vulnerabilities, depending on the device in question. It’s also important to keep an eye on vendor communications to be sure you know when a patch is made available. Finally, the mitigating plan has to be put into action.

How Cynerio’s operationally-safe Zero Trust cybersecurity works for healthcare organizations

Cynerio will show you the best ways to mitigate the risk of the vulnerabilities, depending on the device in question, and notify you when vendors make patches available. We’ll also constantly monitor your network activity and automate mapping critical devices on your network to identify any newly connected devices with the vulnerabilities.

Enforcing security policies safely in clinical environments is tough. To help you navigate these challenges, we’ll help you set up a preemptive and proactive operationally-safe Zero Trust cybersecurity infrastructure that hardens your network against URGENT/11 vulnerabilities and other known and unknown threats. We do this by setting up policies that only allow access to entities on an individual basis, including third parties and vendors. 

Neutralizing the URGENT/11 Threat with Zero Trust Security

After we identify every device and determine if they’re affected, we locate and flag them. Cynerio uses Impact Modeling to prioritize risk according to medical impact, ensuring mission-critical devices remain secure and functional. 

On top of Impact Modeling, we also use Mitigation ModelingTM to determine the most optimal path to mitigating threats with step-by-step plans that enable you to:

  • Quickly and safely configure and enforce operationally-safe Zero Trust North-South and East-West segmentation policies to limit access to the network and lateral movement in the case of any compromised devices
  • Continue using mission-critical devices with our Quarantine capability
  • Micromanage risks on specific ports with our Service Hardening capability to configure access rules according to every communication’s source and destination IP/ports (e.g. TELNET, FTP, REXEC, SSH, etc.)
  • Manage all vendor and third-party connections with our Vendor Access Management capability to give you full visibility and control into who’s connecting to what devices for what services when

To learn more about URGENT/11 vulnerabilities and how Cynerio can help you mitigate the threat, contact us

Keep your finger on the pulse of Healthcare IoT security

Get Your Free Pass to HIMSS21

August 9 -13, Las Vegas

HOW? Easy! If you are a Healthcare IT Executive and you book a 30-minute call with us before July 30th, you get a free pass (valued at $1295)

Book a Call

*Please note that there is limited pass availability