Network devices

Urgent / 11 faults now affect a wider range of medical devices and network

When the initial disclosure of the Urgent / 11 vulnerabilities took place this summer, Armis said devices from manufacturers such as GE Healthcare, Philips and Drager. Manufacturers have issued notices, but fixes are not possible for many devices because they do not have an update mechanism. After this initial disclosure, an Armis customer called the company regarding an alert identifying a vulnerable device in its network. The device turned out to be an Alaris infusion pump made by Becton Dickinson, a major manufacturer of devices. But the device did not use the VxWorks operating system, which confused the researchers and the manufacturer. A few weeks later, Armis researchers were able to test one of the BD infusion pumps during DEF CON and found that it was indeed vulnerable, thanks to the presence of the IPnet stack.

“In about half an hour, with the kind assistance of BD Product Safety Representatives, we successfully exploited one of the URGENT / 11 vulnerabilities on the BD Alaris Infusion Pump, causing it to crash. . Specifically, the network stack crashed displaying an error message and the infuser beeped loudly, the user interface becoming unresponsive. Our experience has shown that this device, among others that do not run VxWorks but have implemented the IPnet TCP / IP stack, can still be affected by URGENT / 11 vulnerabilities, ”Seri said.

As it turned out, several other RTOS had implemented the IPnet stack, opening them up to Urgent / 11 vulnerabilities. Armis researchers have identified six other operating systems that implement the IPnet library and are therefore vulnerable: OSE, INTEGRITY, Microsoft ThreadX, ITRON, Mentor Nucleus and ZebOS. Although the IPnet stack itself is quite old, billions of devices still run it in one form or another.

“Devices using versions of these operating systems may contain the IPnet stack and therefore be vulnerable to URGENT / 11. While it may seem like such devices are already out of order, there are still plenty of them. Most devices that use RTOS are mission-critical devices, which undergo a much longer development and approval period than consumer devices, and have much longer lifecycles when in use, ”Seri said.

There is no straightforward solution for the vulnerabilities in the IPnet stack, but many affected manufacturers have published advisories containing specific mitigations and compensating controls for their products. The Department of Homeland Security and the Food and Drug Administration have issued notices on the new expanded scope of Urgent / 11 vulnerabilities.

Source link