Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
12/16/2020
11:20 AM
50%
50%

Patching Still Poses Problems for Industrial Controllers, Networking Devices

More than 90% of devices that run popular embedded operating systems remain vulnerable to critical flaws disclosed more than a year ago.

Two families of critical vulnerabilities that impact operational technology (OT), embedded devices, and network hardware continue to undermine the security of the vast majority of originally affected devices because patching the issues has been glacially slow, according to a new research report by device-security firm Armis.   

Using random sampling, the company checked the patch status of devices vulnerable to flaws affecting seven vulnerable embedded operating systems, including the widespread VxWorks, which it had disclosed in July and October 2019, finding that 97% of devices have not been updated to a patched version of the software. The company also scanned a subset of Cisco network, IP phone, and camera devices for a set of five vulnerabilities disclosed in February 2020, finding 80% of those devices remained vulnerable.

Related Content:

Manufacturing Sees Rising Ransomware Threat

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

The fact that vulnerable software continues to affect the devices months after the flaws were disclosed underscores the difficulty in patching critical hardware, says Ben Seri, head of research for Armis. 

"These are the types of devices that seem to be hard to patch," he says. "They are in critical applications, and companies often don't want to risk an outage by updating them or taking down the network to fix them."

Vulnerabilities in software used to run operational technology and embedded devices are notoriously difficult to patch and, because they are used in such critical applications, often require complex orchestration to attempt patching. 

The response to the Heartbleed vulnerability in 2014, which affected the OpenSSL cryptographic library, shows the problems complex remediation can have on effective patching rates. Initial patching happened quickly, with the Alexa top 1 million sites driving their vulnerability rate from a maximum of 55% to less than 11% in two days. However, 14% of those patched failed to take another step — changing their private keys — and so remained vulnerable to attack.

"Patching is important, but patching takes time to deploy to mission-critical devices," Seri says. "There is often a reason for them not to get patches, but when you are ready to patch them and take the device offline, it should be easier to complete."

In August, the Defense Advanced Research Project Agency (DARPA) granted $3.9 million to researchers at Purdue University, the University of California at Santa Barbara, and the Swiss Federal Institute of Technology Lausanne (EPFL) to work on a four-year project to improve patching in vulnerable embedded systems and develop automatic and minimal code patching for embedded devices, especially ones for which patches may not be available.

"Many old software components running in these systems are known to contain vulnerabilities; however, patching them to fix these vulnerabilities is not always possible or easy," said Antonio Bianchi, an assistant professor in computer science, in a statement at the time

The Armis survey of devices found that two families of vulnerabilities continue to cause significant security gaps for companies. The URGENT/11 vulnerabilities — a set of 11 issues that the cybersecurity firm had previously disclosed in July 2019 — allowed denial-of-service attacks, information leaks, and remote code execution. In October 2019, the company revealed that six other real-time operating systems that supported the IPnet TCP/IP stack were impacted as well: OSE by ENEA, Integrity by Green Hills, ThreadX by Microsoft, Nucleus RTOS by Mentor, ITRON by TRON Forum, and ZebOS by IP Infusion.

While a subset of the vulnerabilities could allow a worm to propagate using exploits, companies continue to be vulnerable, with 97% of the devices originally affected by the security issues remaining vulnerable.

Armis' Seri blames the difficulty in deploying a patch to the millions of devices for the slow patch progress.

The company has also tracked a second set of security issues that its researchers had disclosed in February 2020. Those five vulnerabilities affect Cisco's Discovery Protocol (CDP) and could allow a remote exploit to take control of a device. The company estimates that only 20% of devices that had been vulnerable have been patched. 

"Patching is important, but patching takes time to deploy to mission-critical devices," Seri says. "There is a reason for them not to get patches, but it should be easier to patch them when you do need to take them offline."

Most notably, the aviation and retail industries continue to have high rates of vulnerable devices, with 83% and 90% of vulnerable Cisco devices remaining unpatched. A large number of industrial controllers and networks are also impacted by the two families of issues, Seri says.

"We do see a lot of manufacturing is being targeted by attacks as well," he says. "So the high percentage of vulnerable devices impacted and the low frequency of patching puts these devices in the highest risk category."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25382
PUBLISHED: 2021-04-23
An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command.
CVE-2021-26291
PUBLISHED: 2021-04-23
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be t...
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...