Eleven vulnerabilities, combined under the name Urgent / 11, were made public in August 2019. Five bugs with the general name CDPwn showed up earlier this year and got patches at that time. However, 97% of devices affected by Urgent / 11 and 80% of devices vulnerable to CDPwn attacks are still not patched.
Critical Urgent / 11 vulnerabilities (PDF) have been identified in Wind River’s VxWorks operating system and a number of other RTOSs (real time operating systems). All dangerous problems, including six RCEs, are tied to the TCP / IP protocol stack and are present in all versions of VxWorks released over the past 13 years.
Most Urgent / 11 bugs allow you to take control of the target device without authentication or user interaction. According to Armis, at the time of the disclosure of vulnerabilities, they affected more than 2 billion devices used to control medical equipment, objects of corporate importance, technological processes in industry.
More than 30 vendors have publicly acknowledged Urgent / 11, including Rockwell Automation, Schneider Electric and Siemens. Many of them have issued warnings and patches for their products. As far as we know, attackers did not even try to exploit these vulnerabilities in attacks.
The emergence of CDPwn (PDF) is guilty of a proprietary network device discovery protocol – CDP ( Cisco Discovery Protocol, Cisco Network Device Discovery Protocol). Problems with this protocol are estimated to affect tens of millions of Cisco products, including routers, switches, IP cameras, and VoIP devices with firmware versions released over the past 10 years. One of the CDPwn vulnerabilities was recently spotted in targeted attacks by Chinese hackers.
Analysts from the information security company Armis have the ability to track the vulnerability of equipment according to the firmware version. The Armis cloud platform currently monitors 280 million devices used in mission-critical industries.
To determine the level of patching for Urgent / 11, the researchers compiled a control sample of PLCs from Rockwell Automation and Schneider Electric. They monitored the presence of CDPwn by the status of Cisco Nexus switches and VoIP devices of the 78xx and 88xx series. The test results in both cases turned out to be deplorable.