The Claroty Blog

Mitigating the Impact of Urgent11 on ICS/OT Networks

| Amir Preminger, VP Research

Claroty releases free tool for protecting against vulnerabilities


A recent report known as Urgent11 exposed a series of vulnerabilities in the TCP/IP stack in the VxWorks embedded operating system. These vulnerabilities and how to mitigate their impact will be the focus of today's’ post. We will also introduce a custom detection tool to help device owners detect threats on their networks.


VxWorks is a common Real-Time Operating System (RTOS) developed by Wind River Systems, and used widely on embedded devices, including those used in the OT space. This RTOS provides developers with the entire operating system, so that their focus remains solely locked on the actual case-specific code, think how Windows operates in relation to PCs.

IP-TCP stack and hidden fields

As part of VxWorks kernel services features, Vxworks provide full TCP/IP stack services to the user applications. One of the key challenges when developing full IP-TCP stack from scratch is keeping up with all of the different options described in the basic TCP/IP RFCs that enable better performance and manage reliable connections. Many of the fields within the TCP/IP layers contains “length” fields that indicate the amount of data and enable the TCP/IP stack to manage packet fragmentation that can occur in some physical connection scenarios. Mishandling such fields can lead to memory corruption and remote code execution (RCE).

The Impact 

Now let’s evaluate the Urgent11 case in this context.The report published by a group of security researchers exposed 11 vulnerabilities in the VxWorks TCP/IP stack. Each vulnerability presents a different level of potential risk, ranging from  basic Denial of Service to changing the device’s IP address and performing full RCE. Translation: billions of devices around the world, many of which populate critical infrastructure sites like power and water treatment plants, large-scale manufacturing plants, national defense systems and more, are currently vulnerable to manipulation and attack.

Mitigation of Risk

The problem raised due to lack of visibility

In response to the publishing of these vulnerabilities, numerous vendors have issued blanket advisories listing their affected products and firmware versions. While these lists can assist end-users in identifying vulnerable devices on their network,  these advisories offer little by way of solutions. An asset owner trying to map their exposure to Urgent11 would require a comprehensive and up-to-date inventory of models and firmware versions in the network, something that many ICS/OT owners and operators struggle to maintain).But without this visibility, it is impossible to to identify vulnerable devices and correlate them against the existing advisories. To mitigate exposure on the network level, researchers have published SNORT rules for some of the vulnerabilities which can assist in the detection of active manipulation attempts within the network.

The Claroty Solution

There’s good news, though.  If you’re a Claroty customer, you already have this visibility!  Claroty Continuous Threat Detection (CTD) users have already received bundles containing an update to the Common Vulnerability and Exposure (CVE) database for detecting vulnerable models and firmware, as well as new threat signatures to detect attacks on a network level.

In addition to the signatures described in the published report, Clarory has added IOCs to expand the detection coverage against CVEs that were not addressed. Using the above update, our customers will be able to uncover compromised devices and detect any attempts to exploit the Urgent11 vulnerabilities.

Urgent 11 Blog Image 2


Urgent 11 Blog Image 1


In addition, our customers are encouraged to leverage CTD’s VirtualZone+ feature to identify relevant subnets and block any IP options / TCP options that are required to exploit the Urgent11 vulnerabilities..

Policies & Zones

Public Detection Tool

At the time of this posting we are unaware of any publicly available tool that could be leveraged to protect against the use of Urgent 11. Therefore we are releasing a free diagnostic tool for testing available to the public that will help detect whether network devices are vulnerable to Urgent11.  This tool implements the CVE-2019-12258 vulnerability, which is a logical vulnerability that was found to lead to connection termination if the attacker has gained access to the source/destination IP and Port.  This tool allows network owners to scan their network and identify compromised and vulnerable devices, thus garnering insight into the extent of their exposure to Urgent11. This free tool, used in addition to the vendor advisories, should provide a degree of added security for asset owners and provide much-needed transparency into their network systems.  

Vendor Advisories



Subscribe to the Blog