INDUSTRIAL, FACTORY AND MEDICAL GEAR REMAIN LARGELY UNPATCHED WHEN IT COMES TO THE URGENT/11 AND CDPWN GROUPS OF VULNERABILITIES.
According to researchers at Armis, a whopping 97 percent of the OT devices impacted by URGENT/11 have not been patched, despite fixes being delivered in 2019. And 80 percent of those devices affected by CDPwn remain unpatched. URGENT/11 is a collection of 11 different bugs that can affect any connected device leveraging Wind River’s VxWorks. VxWorks is a real-time operating system (RTOS) that third-party hardware manufacturers have embedded in more than 2 billion devices across industrial, medical and enterprise environments. Most concerningly, URGENT/11 includes six remote code-execution (RCE) vulnerabilities that could give an attacker full control over a targeted device, via unauthenticated network packets. CDPwn encompasses five critical vulnerabilities discovered in February in the Cisco Discovery Protocol (CDP), the info-sharing layer that maps all Cisco equipment on a network. The bugs can allow attackers with an existing foothold in the network to break through network-segmentation efforts and remotely take over millions of devices.