Heads up – big post from SonicWall on a firmware vulnerability on their
platform. Since VXWorks is a common OS for embedded systems, the security
researchers suggest in their article (link: https://armis.com/urgent11/)
that this vulnerability will require you to patch many, many additional
devices – as VXWorks is used as a base OS on devices as diverse as routers,
firewalls, modems, VOIP phones, printers, industrial controllers, MRI
machines, and many other embedded systems.
The Sonicwall announcement is available at the two links below, or by
viewing the blog post I copied and pasted into my message.
Short URL: http://cpate.ch/sw20190729
Full URL:
https://blog.sonicwall.com/en-us/2019/07/wind-river-vxworks-and-urgent-11-patch-now/
I expect that many of our devices including home routers used by team
members and network printers will need firmware updates to patch against
these issues.
Best regards, Brian
_________
*Brian F. Tankersley, CPA, CITP, CGMA*
*Director, Strategic Relationships, K2 Enterprises, LLC*
brian@xxxxxxx / brian@xxxxxxxxxx
(865) 684-4707 (O)/(865) 405-0131 (M)
[image: Facebook] <https://www.facebook.com/bftcpa>
[image: Twitter] <https://twitter.com/bftcpa>
[image: Instagram] <https://www.instagram.com/bftcpa>
[image: Linkedin] <https://www.linkedin.com/in/bftcpa>
Wind River VxWorks and URGENT/11: Patch Now
<https://blog.sonicwall.com/en-us/2019/07/wind-river-vxworks-and-urgent-11-patch-now/>
July 29, 2019/0 Comments
<https://blog.sonicwall.com/en-us/2019/07/wind-river-vxworks-and-urgent-11-patch-now/#respond>
/in Threat intelligence
<https://blog.sonicwall.com/en-us/category/threat-intelligence/> /by John
Gmuender <https://blog.sonicwall.com/en-us/author/jgmuender/>
*Notice: *SonicWall physical firewall appliances running certain versions
of SonicOS utilize third-party TCP/IP code for remote management that
contain vulnerabilities named URGENT/11. At this time, there is no
indication that the discovered vulnerabilities are being exploited in the
wild, however:
*SonicWall STRONGLY advises to apply the SonicOS patch immediately. Patches
are available for all recent SonicOS versions. Detailed instructions are
provided in the Security Advisory
<https://www.sonicwall.com/support/product-notification/?sol_id=190717234810906>*
*.*
SonicWall provides the patched versions of SonicOS at no charge, including
for customers not currently covered by an active support contract.
SonicWall also recommends updating to the latest SonicOS release (6.5.4.4)
<https://www.sonicwall.com/support/knowledge-base/?sol_id=170504337655458>,
which provides firewall capabilities to help protect other devices
vulnerable to URGENT/11*.*
------------------------------
Wind River VxWorks and URGENT/11 vulnerabilities
Security researchers at Armis have discovered and responsibly disclosed 11
vulnerabilities <https://armis.com/urgent11/> in the TCP/IP stack of Wind
River’s VxWorks real-time operating system, which is utilized by millions
<https://en.wikipedia.org/wiki/VxWorks#Notable_uses> of devices around the
world, as well as in space, on Mars
<https://blogs.windriver.com/wind_river_blog/2018/11/back-to-mars-with-vxworks.html>
and in certain versions of SonicOS. The Wind River VxWorks TCP/IP stack,
named IPNET, contains vulnerabilities that have been given the name “
URGENT/11 <https://armis.com/urgent11/>.” The one material vulnerability
type that impacted SonicOS is addressed by the patch releases.
Unmanageable & un-patchable: The Wild West of IoT
Wind River VxWorks is a real-time operating system that is widely used
<https://en.wikipedia.org/wiki/VxWorks#Notable_uses> in IoT and embedded
applications, such as networking, telecom, automotive, medical, industrial,
consumer electronics, aerospace and beyond
<https://www.windriver.com/inspace/>.
While firewalls are charged with protecting perimeters of organizations,
they are actively managed and monitored devices, frequently from a central
location. For every firewall, there is a human who wakes up each morning
with a question, “*Is my firewall working? Is it up to date?”* Within days
of an update becoming available, these humans schedule a maintenance window
and close the security gap.
However, for the overwhelming majority of other devices connected or
exposed to the internet, there is no such human, and the number of these
IoT devices is larger than that of firewalls by several orders of
magnitude. It is this multitude of connected devices that are not actively
managed or patched that poses an iceberg-like risk to the internet.
Vulnerabilities are eventually discovered for even the best software, and
the security of the internet and the online ecosystem relies on the ability
to roll out and deploy the fixes.
In the mid-year update to the 2019 SonicWall Cyber Threat Report
<https://www.sonicwall.com/lp/2019-cyber-threat-report-lp/?elqCampaignId=10997&sfc=7012M0000017bi0QAA>,
SonicWall Capture Labs threat researchers have already logged 13.5 million
IoT attacks, which outpaces the first two quarters of 2018 by 54.6%.
[image: https://blog.sonicwall.com/wp-content/uploads/IoT-Malware.png]
<https://blog.sonicwall.com/wp-content/uploads/IoT-Malware-1030x620.png>
This reality is taking hold in the minds not only of security
practitioners, but also of government regulators, as the hundreds of
millions of IoT devices are found to be vulnerable and remain unpatched.
This is one of the risky underbellies of the internet, led by the explosion
of IoT devices, including consumer-grade devices that are frequently
deployed at the edge of the internet and then forgotten for a decade. IoT’s
broad reach should reverberate through several industries as a wakeup call.
‘Never stop patching’
The weaponization of published vulnerabilities against old software serves
as an important reminder that customers should never procrastinate software
updates, which are one of the most important steps you can take to secure
your infrastructure against today’s rapidly-evolving threat landscape.
Do not ignore them or put them off. Patch now. And never stop patching.
John Gmuender <https://blog.sonicwall.com/en-us/author/jgmuender/>
[image: John Gmuender] <https://blog.sonicwall.com/en-us/author/jgmuender/>
Senior VP, Chief Technology Officer | SonicWall <https://www.sonicwall.com>
John Gmuender has over 30 years of software and hardware engineering
experience including 25 years of startup and corporate management. Mr.
Gmuender is the visionary and technical leader behind SonicWall's
Reassembly-Free Deep Packet Inspection (RF-DPI) technology and SonicWall's
Massively Scalable Multi-Core Security Architecture and Platform. At
SonicWall, he has led the network security line through four successful
product generations, enabling new business models for the company and the
industry, including the cloud-delivered subscription services model. Mr.
Gmuender came to SonicWall with the acquisition of SecureCom Networks, the
startup he founded and led as CEO and VP of Engineering. Prior to SecureCom
Networks, Mr. Gmuender led his engineering and networking consulting
company, GUM, providing detailed engineering expertise in networking,
security, software, and hardware, to many companies including JMA/Network
Translation, the developer of the PIX firewall prior to its acquisition by
Cisco in 1996. During his career, Mr. Gmuender has held management and
engineering roles in the development of x86 and Sparc microprocessors at
Cyrix and Fujitsu/HaL Computer Systems respectively, and began his career
at IBM in the Communications Division. Mr. Gmuender has numerous patents
and publications in both hardware and software, and graduated Summa Cum
Laude with a Bachelor of Science degree in Electrical Engineering from
North Carolina State University.
*Tags:* patch <https://blog.sonicwall.com/en-us/tag/patch/>, patching
<https://blog.sonicwall.com/en-us/tag/patching/>, SonicOS
<https://blog.sonicwall.com/en-us/tag/sonicos-en-us/>, TCP/IP
<https://blog.sonicwall.com/en-us/tag/tcp-ip/>, URGENT/11
<https://blog.sonicwall.com/en-us/tag/urgent-11/>, VxWorks
<https://blog.sonicwall.com/en-us/tag/vxworks/>, Wind River
<https://blog.sonicwall.com/en-us/tag/wind-river/>, Wind River VxWorks
<https://blog.sonicwall.com/en-us/tag/wind-river-vxworks/>
