FDA Issues Warning over Urgent/11 Vulnerabilities in Component Used in Medical Devices

The U.S. Food and Drug Administration (FDA) and ICS-CERT have issued warnings about 11 vulnerabilities in a software component used in several operating systems and certain medical devices. The vulnerabilities, collectively referred to as URGENT/11, could lead to remote code execution, information disclosure, and attacks that change the functionality of medical devices and stop them working as intended.

While there have not been any known attacks exploiting the flaws, the FDA warns that the software required to exploit the vulnerabilities is publicly available. The flaws were discovered by security researchers at Armis and were reported in July as affecting the WindRiver VxWorks operating system. The vulnerabilities affect a software component called IPnet which supports network communications between computers.

VxWorks is used by millions of devices, and the researchers suggested the flaws may affect other Real Time Operating System (RTOS) vendors. Since the initial discovery, the researchers have found the vulnerabilities are also present in certain versions of the following operating systems.

  • Operating System Embedded (OSE) (by ENEA)
  • INTEGRITY (by Green Hills)
  • ThreadX (by Microsoft)
  • ITRON (by TRON Forum)
  • ZebOS (by IP Infusion)

Along with certain products from the following companies:

  • ABB
  • Avaya
  • Belden Industrial Devices
  • ExtremeNetworks
  • NetApp
  • Rockwell Automation
  • Schneider Electric
  • Siemens
  • Sonicwall Firewalls
  • TrendMicro IPS
  • Woodward
  • Xerox Printers
  • Xylem

And certain medical devices made by the following manufacturers:

  • BD (Beckton Dickinson)
  • Drager
  • GE Healthcare
  • Philips Healthcare
  • Spacelabs

Affected devices include a drug infusion pump, an anesthesia machine, and a medical imaging system. The original developer no longer supports the software component, but it is still in use in many operating systems and devices under license without support.

WindRiver has issued patches to correct the vulnerabilities and has published mitigations that can be implemented to reduce the risk of exploitation and device manufacturers and other developers of operating systems have each issued their own advisories.

Mitigations or patches should be applied as soon as possible to prevent exploitation of the flaws.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news