Last week at the Security B-Sides and DEFCON conferences in Las Vegas, HD Moore, chief security officer at Rapid7 and founder and chief architect of Metasploit, disclosed two critical vulnerabilities in VxWorks, which is used to power Apple Airport Extreme access points, Mars rovers and C-130 Hercules aircrafts, in addition to microwaves, switches, sensors, telecom equipment and industrial control monitors.
VxWorks has a service enabled by default that provides read or write access to a device's memory and allows functions to be called, Moore told SCMagazineUS.com on Tuesday. The vulnerable service, called WDB agent, is a “debugger” for the VxWorks operating system that is used to diagnose problems and ensure code is working properly when a product is being developed.
The debugging service, a selectable component in the VxWorks configuration enabled by default, is not secured and represents a security hole in a deployed system, according to an advisory issued by the US-CERT on Monday.
The exposed WDB agent “allows anyone with network access to the device to take complete control of the device,” Moore told SCMagazineUS.com. “With a little bit of work, you could hijack just about any device.”
To determine how widespread the problem was, Moore wrote a scanner module for the Metasploit open-source penetration testing framework to run a network survey that encompassed more than 3.1 billion IP addresses, he said. More than 250,000 products representing 100 vendors were found with the WDB agent exposed, he said.
Moreover, unknown hackers spent most of 2006 scanning for the service, Moore said.
“There is a pretty good chance that someone already found this vulnerability and exploited it en masse all throughout 2006,” he said. “It was more than likely someone doing something malicious, but we have no clue what that was. There's just a huge variety of what you can do with this vulnerability – if you know how to apply it.”
Meanwhile, a separate vulnerability involving the hashing algorithm that is used in the standard authentication API for VxWorks could allow an attacker to brute force a password, Moore said. The hashing algorithm is susceptible to collisions, meaning an attacker would be able to brute force a password in a relatively short period of time by guessing a string that produces the same hash as a legitimate password, according to a separate advisory posted by US-CERT.
Moore contacted the CERT Coordination Center at Carnegie Mellon University in Pittsburgh and provided researchers with a list of affected devices, with the goal of notifying as many vendors as possible. VxWorks customers include Northrop Grumman, Motorola, Dell, Apple, HP and Cisco.
VxWorks is produced by Wind River, acquired by Intel in 2009.
Wind River plans to fix the weak password hashing vulnerability in VxWorks 6.9, which has not yet been released, according to Moore. However, the vendor has not made any promises to fix older affected versions of the embedded operating system.
“I expect to see this bug live on almost indefinitely,” he said.
However, a Wind River spokesman told SCMagazineUS.com in an email Tuesday that when contacted by Carnegie Mellon University's CERT Coordination Center, Wind River immediately assessed the alert, issued patches on Aug. 2 and was instructed by CERT to provide a "synchronous public response."
These two bugs are “just the tip of the iceberg,” Moore wrote in a blog post on Monday.
The VxWorks platform largely has been ignored for the past 10 years and needs to be more thoroughly tested, he said.