Series of Zero-Day Vulnerabilities Could Endanger 200 Million Devices

VxWorks has been deployed across different markets for more than 30 years and is still used in numerous embedded systems and IoT devices, including mission critical supervisory control and data acquisition systems, such as elevator and industrial controllers, as well as patient monitors, MRI machines, firewalls, routers, modems, VOIP phones and printers, according to Wind River. "Moreover, numerous impacted devices are sensitive devices that are used in industrial, manufacturing, or healthcare delivery environments; scanning or probing these devices with a traditional network vulnerability scanner is unwise because those actions are likely to disrupt or crash the devices". A patch is available, but because many organizations don't know what operating systems are running on their IoT devices, it seems likely that many devices will remain vulnerable.

Companies that use versions of VxWorks include giant corporations such as Siemens, Asea Brown Boveri, Rockwell Automation, Mitsubishi, Samsung, Ricoh, Xerox, NEC and others.

According to Armis [PDF] today, all 11 of the vulnerabilities (dubbed Urgent/11 for marketing purposes) are found in the VxWorks TCP/IP stack, IPnet.

They include six critical flaws that enable remote code execution and five that can lead to denial of service, leaking of information or errors.

Wind River explains that the IPnet "networking stack is a component of some versions of VxWorks, including end-of-life (EOL) versions back to 6.5". Because numerous vulnerabilities reside in the networking stack known as IPnet, they can often be exploited by little more than boobytrapped packets sent from the Internet.

These are primarily non-critical enterprise devices at network perimeters such as modems, routers, and printers, as well as some industrial and medical devices.

"Even a device that is reaching outbound to the internet could be attacked and taken over. Alternately, an attacker who has already managed to infiltrate a network can use Urgent/11 to target specific devices within it, or even broadcast an attack capable of taking over all impacted VxWorks devices in the network simultaneously", Armis researchers shared. The fact that the flaws are in the network protocol layer means attackers can remotely interfere with the device without a user to initiate the exploit.

Should a miscreant be able to connect to a vulnerable VxWorks device, they would potentially be able to send packets that could exploit any of the six critical flaws (CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12257) to gain remote code execution, thus leading to a complete takeover of the hardware.

In the "attack from within the network" scenario, an attacker could breach all vulnerable devices at once by broadcasting malicious packets throughout the network.

Former Audi CEO Stadler charged over Dieselgate scandal
Winterkorn's lawyer has said he can not comment on the charges because he had been denied access to important case files. The Munich prosecutors on Wednesday declined to identify the defendants, except for Stadler.

VxWorks is closed source, so assessing it for vulnerabilities is not easy.

Customers have been notified of the security flaws and were instructed to take mitigation action or install the latest patches. Devices protected by perimeter security measures also can be vulnerable once the devices create TCP connections to the internet. Often organizations rely on the devices to run continuously. According to a search Armis did on Shodan, there are over 800,000 reachable over the internet.

"Security appliances can and should be used to detect any attempts using Urgent/11 vulnerabilities", Seri noted. The flaws don't impact all VxWorks versions, but are estimated to affect about 200 million devices. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of real-time operating system vendors.

"URGENT/11 are the most severe vulnerabilities found in VxWorks to date, which has suffered from only 13 public CVEs in its 32-year history".

"VxWorks' uncharted nature stems from the fact that it is closed sourced, making it more hard to inspect, and the fact that it is an RTOS, which has received less attention from the research community as it does not operate consumer devices", the researchers noted.

The full list of vulnerabilities can be found on Wind River's security site.

"Unfortunately, real-time operating systems have not been researched as thoroughly as most consumer operating systems have, and VxWorks is not the only widely used RTOS", Seri says. "So from time to time, the work of vulnerability researchers can help uncover such vulnerabilities".

Since Armis researchers disclosed the 11 vulnerabilities to Wind River before publishing its findings on Monday, the company's security team has prepared and published a number of patches to fix the vulnerabilities. Baker did not provide an estimate of how many devices the company believes are vulnerarble to Urgent/11, and would only say that "those impacted make up a small subset of our customer base".

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.