Running head: RISK 1

Risk

Tyler Higgins1


University of Advancing Technology

Author Note

This paper was prepared for NTW216 - Foundations of Systems

Administration, taught by Mason Galatas

RISK 2

Abstract

In this paper I will cover the risks involved with the set of vulnerabilities known as

Urgent/11. This set of 11 vulnerabilities affect the WindRiver Real Time Operating

System (RTOS) created by VXWorks. The reason I will be covering Urgent/11 is

because it affects such a wide range of products and most of them are not things most

people would think about, like a patient monitor. One of the worst parts of this set of

vulnerabilities is the simple fact that some of the devices that run this RTOS can not be

updated and there for more steps need to be taken into consideration.
RISK 3

Risk

Current Information Technology Intrusion

The current info tech intrusion I want to go over is a set of vulnerabilities

discovered my Armis. Armis is a leader in IoT device security and they had discovered

this set of vulnerabilities they dubbed Urgent/11 because there were 11 zero-day

vulnerabilities discovered that affects everything from patient monitors, printers,

SCADA devices, MRI machines, to firewalls.

The last item in the list, firewalls, is how this set of vulnerabilities were a major

risk to the company I work for. The company I work for uses a SonicWall firewall.

SonicWall just so happens to use the VMWorks RTOS in their products. If we had been

attacked by a hacker that had gotten their hands on the Urgent/11 vulnerabilities there

would have been nothing we could do to stop the attack since there would have been

no way to know they were in our network, until it was to late.

Overview of Selected Intrusion

Let us go over how this someone can use a set of vulnerabilities to completely bypass

a firewall. The Urgent/11 vulnerabilities takes advantage of a defect in the VXWorks TCP/IP

(IPNet) stack and allows the connection to be modified. This can lead to a complete bypass

of a firewall as most modern security solutions cannot detect this attack. One of the worst

parts of this set of vulnerabilities is the fact that they are found in every version of the

VXWorks RTOS since version 6.5, which has was launched 13 years ago, and in total

affects 2 billion devices around the world. There is also a chance that this set of

vulnerabilities can be found and exploited in other devices since the same IPNet stack was

used in other operating systems before VXWorks acquisition in 2006.

RISK 4

Risk to my Organization

As mentioned above, the company I work for uses SonicWall Firewalls and switches,

which means we were very open to this attack. Had an attacker had the chance to exploit

the vulnerability on our network we could have been massively affected. I am a network

admin for a small aviation maintenance school and had an attacker been able to get into

our network the attacker could have gotten access to employee and student files. Our

corporate team also maintains a VPN connection between their office and our campus,

both sides of the connection run SonicWall devices as do all of our campuses; which

means if one campus gets attacked it would be possible for every campus to get breached.

This could then lead to a Ransomware attack on every campus in our organization.

How to Mitigate the Risk

Luckily there is an easy way to mitigate this risk. Lucky for everyone involved,

Armis is a reputable company and immediately disclosed the Urgent/11 vulnerabilities to

WindRiver, as soon as WindRiver got the information they patched the IPNet framework

and let all the distributors and integrators that used a vulnerable version of VXWorks of

the dangers and patches were created. That means if your device is vulnerable to this

set of vulnerabilities a patch has most likely been built and all that needs to be done is

upgrade your device firmware to become safe. Also as a way to help companies find

vulnerable devices on their network Armis has created an Urgent/11 detector that is

freely available on GitHub.

Research Conducted

To research this topic I looked up the article written by Armis, as well as the article on

WindRiver’s website. I also looked up the information SonicWall had published on their site

since that was the hardware that my company had on site that was vulnerable to this
RISK 5

set of vulnerabilities. Lastly, I also looked up the Urgent/11 Detector published to

GitHub by Armis security.

Summary

In summary, the set of vulnerabilities named Urgent/11 affected 2 billion devices in

a wide range of industries. Urgent/11 would allow an attacker to bypass most modern

security devices like a firewall by exploiting the TCP/IP stack used in WindRiver’s

VXWorks RTOS. Once a device has been compromised, it can be used to steal data,

like patient data, or used to pivot to another device on the network. A way to protect

from Urgent/11 is to upgrade the firmware, where possible, on all devices that run

VXWorks, and to have a security system in place that can monitor IoT devices that can

not receive firmware updates.

RISK 6

References

R (Version 4.0.2; Gmuender, 2019) and the R-packages base (Version 4.0.2;

Gmuender, 2019), and papaja (Version 0.1.0.9997; Aust & Barth, 2020)

Aust, F., & Barth, M. (2020). papaja: Create APA manuscripts with R Markdown.

Retrieved from https://github.com/crsh/papaja

Gmuender, J. (2019). Wind river vxworks and urgent/11: Patch now. SonicWall.

Retrieved from https://blog.sonicwall.com/en-us/2019/07/wind-river-

vxworks-and-urgent-11-patch-now/

A. (2019, October 08). ArmisSecurity/urgent11-detector. Retrieved September 21,

2020, from https://github.com/armissecurity/urgent11-detector

A. (2020, March 27). URGENT/11 Leaves Billions of Devices Open to Cyber Security
Risks. Retrieved September 21, 2020, from https://www.armis.com/urgent11/
Gmuender, J. (2019, July 29). Wind River VxWorks and URGENT/11: Patch Now.
Retrieved September 21, 2020, from https://blog.sonicwall.com/en-us/2019/07/wind-river-
vxworks-and-urgent-11-patch-now/
Host, R. (2019, August 02). SonicWall URGENT/11 vulnerabilities. Retrieved September
21, 2020, from https://support.swanlibraries.net/news/2019-08/66781
SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11). (2019,
July 29). Retrieved September 21, 2020, from
https://www.tenable.com/plugins/nessus/127107
Vulnerabilities in medical devices prompt FDA & DHS to issue advisories. (2019, October
29). Retrieved September 21, 2020, from https://www.armis.com/resources/iot-security-
blog/urgent-11-update/