URGENT/11 Vulnerabilities: Taking Action

Healthcare organizations can take steps to start mitigating risks while waiting for vendors to issue software patches to address URGENT/11 IPnet vulnerabilities in medical devices, says researcher Ben Seri of the security firm Armis, which identified the flaws.

The U.S. Food and Drug Administration and the Department of Homeland Security recently issued alerts about the vulnerabilities.

The problems exist in IPnet, a third-party software component that supports network communications and is embedded into a variety of legacy medical and industrial devices that are still in use today, despite the software, in many cases, being no longer supported by the original vendors (see FDA Issues Alert on Medical Device IPnet Vulnerabilities).

The collection of URGENT/11 vulnerabilities was first identified by Armis researchers in July as affecting some versions of the real-time operating system VxWorks by Wind River.

But on Oct. 1, the FDA issued its alert, and the DHS updated an earlier advisory after Armis researchers identified six additional real-time operating systems supporting the IPnet TCP/IP stack that are also potentially impacted by the URGENT/11 vulnerabilities.

Exploitation of the vulnerabilities could lead to remote code execution and allow an attacker to take over a whole device without interacting with the user, posing potential harm to patients if a medical device subsequently malfunctions.