Opto 22 Responds to Inquiries Regarding URGENT/11

Applies To:

All Opto 22 products based on TCP/IP are free from URGENT/11 vulnerabilities, including:
GRV-EPIC-PR1
GRV-EPIC-LC (EPIC learning center)
GROOV-AR1 (all models)
SNAP PAC S-series controllers (all models)
SNAP PAC R-series controllers (all models)
SNAP PAC EB-series brains (all models)
SNAP Ethernet and SNAP Ultimate I/O (all models)

Symptoms:

NOTE: This KB article is for information. Opto 22 products do not contain this vulnerability and require no updating.

The recent announcement of security vulnerabilities discovered in the Wind River® VxWorks® IPnet TCP/IP stack has prompted questions from Opto 22 customers about what impact this discovery may have on TCP/IP-based products developed and manufactured by Opto 22.

Opto 22 would like to reassure our customers that, after careful and thorough review, we can state that none of our hardware or software products contain the VxWorks IPnet TCP/IP stack or variants of that software and are, therefore, not directly exposed to any attacks that might target these vulnerabilities. This statement applies to the recent Opto 22 product family groov EPIC® (edge programmable industrial controller), the groov® Edge Appliance (groov Box), the SNAP PAC® System, and SNAP Ethernet I/O® products.

These security vulnerabilities, dubbed URGENT/11 by Armis, an enterprise IoT security firm that made the discoveries, have far-reaching implications and affect an extremely large array of industrial, medical, and enterprise environments. These include mission-critical systems such as SCADA, industrial controllers, PLCs, PACs, and more. Other systems outside traditional industrial devices like patient monitors and MRI machines, as well as firewalls, routers, modems, VOIP phones, and printers are also affected.

For specific information about the eleven CVEs (Common Vulnerabilities and Exposures) related to the URGENT/11 discovery, please visit Wind River’s webpage: https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/

Due to the fundamental design of industrial controllers and how they connect to a wide range of devices, some may confuse firmware vulnerabilities such as URGENT/11 with better known viruses and malicious software we frequently hear about. It is important to understand that only the devices that have embedded the affected IPnet TCP/IP stack are subject to attacks that target this vulnerability.

Opto 22 cannot respond to or address the possible risks or exposures created by hardware and software products manufactured by other companies. It’s important to carefully review the information provided by manufacturers of the hardware and software that run your applications and networks, making sure that they clearly indicate the specific model numbers or product names affected by this vulnerability.

Please be aware that some companies might use Opto 22 language or terms (for example, “EPIC controller”) to describe their products. These are general descriptions and have absolutely no connection to the Opto 22 groov EPIC® controller, a product name that is a registered trademark owned by Opto 22 and protected under the USPTO trademark laws of the United States. Be sure to check specific model numbers and product names, not just general descriptions, in order to minimize confusion.

For a list of affected companies and links to published advisories and their products, we suggest visiting the URGENT/11 webpage on the Armis website for more information: https://armis.com/urgent11/

Questions?

Contact: Opto 22 Product Support.
Phone: 800-835-6786 or 951-695-3080
Email: support@opto22.com

DISCLAIMER

This Opto 22 Knowledge Base ('OptoKB') article is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this OptoKB article is not intended to constitute application, design, software, or other professional engineering advice or services. Opto 22 may modify the OptoKB articles at any time. Before making any decision or taking any action which might affect your equipment, you should consult a qualified professional.

OPTO 22 DOES NOT WARRANT THE COMPLETENESS, TIMELINESS, OR ACCURACY OF THE DATA CONTAINED IN THIS OPTOKB ARTICLE AND MAY MAKE CHANGES THERETO AT ANY TIME AT ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS 'AS IS.' IN NO EVENT SHALL OPTO 22 BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT, OR DAMAGE, EVEN IF OPTO 22 HAS BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES.

OPTO 22 DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED WITH RESPECT TO THE INFORMATION (INCLUDING HARDWARE, SOFTWARE, AND/OR FIRMWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTIBILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not sanction the exclusion of implied warranties: thus, this disclaimer may not apply to you.