Researchers have found 11 serious vulnerabilities in VxWorks, the world’s most popular real-time operating system (RTOS) that powers over 2 billion devices including enterprise network firewalls and routers, industrial controllers and medical equipment. Many of the flaws allow attackers to take over devices remotely by just sending network packets, which make them particularly dangerous.
Researchers from IoT security firm Armis, who found the vulnerabilities, dubbed them URGENT/11 due to their widespread impact. The flaws are located in the operating system’s TCP/IP stack, a core component that handles network communications, and six of them can result in remote code execution (RCE).
“URGENT/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions,” the Armis researchers said in their report. “These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks. Such an attack has a severe potential, resembling that of the EternalBlue vulnerability, used to spread the WannaCry malware.”
Wind River, the company that built and maintains the VxWorks operating system has released patches to its partners and customers. However, given the complexities of the embedded device ecosystems and supply chains, as well as the challenges of deploying patches to specialized devices in general, many are likely to remain vulnerable for a long time.
According to Armis, vulnerable devices include industrial SCADA systems, elevator and industrial controllers, patient monitors and MRI machines, firewalls, routers, satellite modems, VOIP phones, printers and more. Prior to 2006, when Wind River acquired the vulnerable TCP/IP stack called IPnet, the stack was also licensed and distributed to other RTOS vendors, so there is a high possibility that devices running other real-time operating systems are also vulnerable.
Armis’ analysis revealed that the vulnerabilities have existed in IPnet for over 13 years and impact most versions of VxWorks since 6.5, except for the latest release and those meant for certification like VxWorks 653 and VxWorks Cert Edition.
The researchers claim these are the most severe flaws found in VxWorks to date, but that might also be because VxWorks has not received the same level of attention from the security research community as general purpose operating systems. The RTOS has only had 13 public CVE vulnerability identifiers in its 32-year history.
“In most operating systems, such fundamental vulnerabilities in the crucial networking stacks have become extinct, after years of scrutiny unravelled and mitigated such flaws,” the Armis researchers said.
How do the URGENT/11 flaws work?
Not all of the vulnerabilities exist in all VxWorks versions, but most versions are affected by at least one of them. The remote code execution flaws can be exploited by simply sending maliciously crafted TCP packets to a vulnerable device, without any additional changes needed to their default configurations.
Devices that are directly accessible from the internet, such as firewalls and routers, are obviously at greater risk and, once compromised, they can be used as jump points into internal networks to attack other vulnerable VxWorks devices. In most cases, once they gain access to such a perimeter device, attackers can easily broadcast malicious packets to the entire network.
The Armis researchers told CSO that even without internal network access, attackers can still target and compromise VxWorks devices behind NAT firewalls using several techniques. For example, many printers and other systems regularly reach out to servers or cloud-based services located on the internet.
If attackers gain a man-in-the-middle position that allows them to intercept such requests after they leave the victim’s network, they can respond back with malicious packets. This can be achieved in a variety of ways, including hacking or gaining access to ISP routers, compromising the remote servers accessed by devices, or through BGP route hijacks.
While the six RCE flaws are rated critical, the denial-of-service ones shouldn’t be given less priority considering the type of impacted devices. Unscheduled downtime of mission-critical devices and equipment can have serious consequences. For example, attackers could use these flaws to stop patient monitoring devices in a hospital, halt the production in a manufacturing plant or worse.
Over 200 million mission-critical devices exposed
While VxWorks is used in over 2 billion devices, Wind River said in an emailed press release that these vulnerabilities only impact “a small subset” of its customer base, primarily “enterprise devices located at the perimeter of organizational networks that are internet-facing such as modems, routers, and printers, as well as some industrial and medical devices.” However, Armis estimates the flaws expose over 200 million “mission-critical” devices.
Wind River has worked closely with Armis as part of the coordinated disclosure process and has released patches to the affected VxWorks versions that are still supported. Some hardware manufacturers like firewall maker SonicWall and printer vendor Xerox have also released updates for their affected products.
However, given the variety of affected devices and the long period of time for which these flaws have existed in IPnet and VxWorks, there are likely many vulnerable devices still in use that have reached end-of-support and might never receive patches.
Devices like patient monitors, RMIs and industrial controllers have a much longer shelf life than printers or enterprise firewalls. They are also harder to update because the process might require manual intervention and but also because they perform critical operations and their owners can’t afford to take them out of use for firmware updates without serious planning.
Isolate and patch
Wind River advises organizations with VxWorks-powered devices to deploy the patches immediately. However, in order to do that, organizations need to first determine what VxWorks devices they have on their networks and how many of them are vulnerable. Until an inventory is done and the patching plan can be put into action, organizations should isolate the identified vulnerable devices using network controls and monitor their behavior for possible signs of compromise.
The good news is that URGENT/11 attacks can be detected at the firewall level. Armis will not release proof-of-concept exploit code for now, but will make detection signatures available that can be used by intrusion detection systems.
The researchers plan to demonstrate three real-world attack scenarios against a SonicWall firewall, a Xerox printer and a patient monitor at the upcoming Black Hat USA security conference.