Two families of critical vulnerabilities that impact operational technology (OT), embedded devices, and network hardware continue to undermine the security of the vast majority of originally affected devices because patching the issues has been glacially slow, according to a new research report by device-security firm Armis.
Using random sampling, the company checked the patch status of devices vulnerable to flaws affecting the VxWorks embedded operating system disclosed in July 2019, finding that 97% of devices have not been updated to a patched version of the software. The company also scanned a subset of Cisco network, IP phone, and camera devices for a set of five vulnerabilities disclosed in February 2020, finding 80% of those devices remained vulnerable.
The fact that vulnerable software continues to affect the devices months after the flaws were disclosed underscores the difficulty in patching critical hardware, says Ben Seri, head of research for Armis.
"These are the types of devices that seem to be hard to patch," he says. "They are in critical applications, and companies often don't want to risk an outage by updating them or taking down the network to fix them."
Vulnerabilities in software used to run operational technology and embedded devices are notoriously difficult to patch and, because they are used in such critical applications, often require complex orchestration to attempt patching.
The response to the Heartbleed vulnerability in 2014, which affected the OpenSSL cryptographic library, shows the problems complex remediation can have on effective patching rates. Initial patching happened quickly, with the Alexa top 1 million sites driving their vulnerability rate from a maximum of 55% to less than 11% in two days. However, 14% of t ..
Support the originator by clicking the read the rest link below.
