Armis research finds industrial devices infected with URGENT/11 and CDPwn vulnerabilities, despite warnings

Security firm Armis Inc. said that it has tracked the exposures from the URGENT/11 and CDPwn exploit discoveries over the past 18 months, and identified that 97 percent of the OT devices impacted by URGENT/11 have not been patched while 80 percent of those affected by CDPwn remain unpatched.

The URGENT/11 vulnerabilities affect enterprise and medical devices, as well as operational technology (OT), industrial control systems (ICS) and programmable logic controllers (PLC), wrote Ben Seri, VP of Research at agentless, enterprise-class security platform company Armis, in a blog post. Affected devices are typically used in production and manufacturing environments to carry out various mission-critical tasks, such as monitoring and control of physical devices that operate various instruments.

Likewise, though Cisco released patches in conjunction with Armis’ disclosure of the CDPwn vulnerabilities, close to 80 percent of impacted devices remain unpatched. CDPwn vulnerabilities impact tens of millions of enterprise devices including switches, routers, VoIP phones, and IP cameras, Seri added. While most attacks occur at the application or network layers, this exploit of CDP is unusual as it is a Layer 2 Data Link Layer (DLL) protocol.

Using one of the critical RCE (remote-code-execution) vulnerabilities from URGENT/11, Armis was able to exploit two of the most common PLCs — the ControlLogix Ethernet module 1756-EN2TR from Rockwell Automation, and the Modicon M580 from Schneider Electric. PLCs are industrial computer control systems that continuously monitor the state of input devices and make decisions based upon a custom program to control the state of output devices.

In the case of the Rockwell Automation PLC, Armis researchers took control of the Ethernet module that manages communication between the PLC and the engineering workstation and gained unconstrained access over the PLC. In the case of the Schneider Electric PLC, the Ethernet module is built-in within the Modicon PLC, thus by taking over it Armis also gained ring-0 access to the entire PLC. The developed exploit does not require any type of authentication, or user-interaction. Ring 0 refers to the level with the most privileges, which interacts most directly with the physical hardware such as the CPU and memory.

With this level of access, an attacker can alter code on the PLC and change incoming or outgoing messages, or send false or misleading data to the engineering workstation. Both Rockwell Automation and Schneider Electric did issue patches for the URGENT/11 vulnerability.

CDPwn vulnerabilities have several potential implications. Armis was able to develop an exploit that defeats built-in mitigations used by vulnerable Cisco devices, such as address space layout randomization (ASLR), and showcase that it is possible to take control over all VoIP phones on a given local network segment simultaneously, using maliciously crafted Ethernet broadcast packets.

ASLR is a memory-protection process for operating systems that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory. The success of many cyberattacks, especially zero-day exploits, count on the hacker’s ability to know or guess the position of processes and functions in memory.

A broadcast attack of this nature is extremely rare and holds a distinctive ability for an attacker, in which he does not need to carry out any ‘reconnaissance steps’ to identify specific targets, and can simply use an opportunistic approach, sending the maliciously crafted broadcast packets to the network, and take-over any vulnerable devices on the same LAN, in parallel, Armis said.

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have issued repeated warnings about the existence of security vulnerabilities with critical infrastructure, and warned that various devices are being targeted, Armis said.

In October, the NSA published a report identifying the Top 25 vulnerabilities that are consistently scanned, targeted and exploited by Chinese state-sponsored hacking groups. CDPwn was identified as #24 on the list. By exploiting the CDPwn vulnerabilities attackers could eavesdrop on voice and video data/calls and video feeds, break network segmentation, set up man-in-the-middle attacks, or exfiltrate critical information.

Also, in October, the CISA, FBI and HHS issued alert AA20-302A – warning of tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with ransomware, notably Ryuk, TrickBot and Conti.

Earlier this month, IBM Security X-Force, which partners with Armis, reported on malicious cyber actors targeting the COVID-19 cold chain, an integral part of delivering and storing the vaccine at safe temperatures.

The NSA and CISA jointly issued in July Alert AA20-205A to all critical infrastructure and service operations that rely upon OT systems to deliver core services. The alert stressed that the combination of Internet-accessible OT systems and the fact that most legacy OT devices are not designed to defend against malicious cyber activity creates a “perfect storm.” Corrective steps recommended included patching, which according to Armis’ research shows is not happening nearly fast enough.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.