The US Department of Homeland Security and the US Food and Drug Administration (FDA) have published advisories this week warning about a much broader impact of the Urgent/11 vulnerabilities[1], which impact more operating systems than initially thought.
The Urgent/11 security flaws were initially disclosed over the summer by cyber-security firm Armis. They allow attackers to run malicious code and take over a wide range of devices, from routers to firewalls, and from printers to industrial equipment.
Security researchers initially believed Urgent/11 only impacted devices using VxWorks, a real-time operating system (RTOS) created by Wind River.
The actual issue was tracked down to IPnet, a TCP/IP networking library that was part of VxWorks.
New operating systems discovered vulnerable
However, additional testing over the summer confirmed that devices running real-time operating systems were also impacted, such as OSE created by ENEA, INTEGRITY created by Green Hills, Microsoft's ThreadX, ITRON by TRON Forum, Mentor's Nucleus RTOS, and ZebOS, a routing platform which provides TCP/IP services for other operating systems.
Now, the DHS is urging companies[2] to check the technical specifications of the devices they're using and see if they're running any of the affected operating systems.
To help, Armis has released a tool[3] that scans networks for devices that contain the IPnet networking stack and are vulnerable to the Urgent/11 vulnerabilities.
In a similar advisory, the FDA is urging hospitals and other healthcare providers to do the same[4]. The only medical devices that have been confirmed as being vulnerable to Urgent/11 is the BD Alaris infusion pump and the Xprezzon patient monitor; however, many more could also be susceptible to attacks.