VxWorks, a real-time operating system (RTOS) that runs on more than 2 billion devices — many in industrial, health-care and enterprise environments — has been found to contain 11 vulnerabilities, six of which are critical flaws that enable remote code execution. Around 200 million devices are running the vulnerable versions of the RTOS, according to researchers.
Though not a household name, the VxWorks is a highly ubiquitous OS that is used in a wide range of devices and embedded systems that require real-time and precise deterministic performance. Such systems can be found in SCADA systems, program logic controllers, elevator and industrial controllers, patient monitors and MRI machines, networking equipment, robotic arms, transportation systems and spacecrafts, and more. Device and systems manufacturers impacted by the 11 bugs include Siemens, Rockwell Automation, Mitsubishi Electronic, Samsung and Xerox.
Wind River, VxWorks’ developer, issued a July 19 software update that patches the vulnerabilities, which, in addition to the half-dozen RCE bugs, also include logic flaws, denial of service conditions and information leak vulnerabilities. The company also issued a security advisory last Thursday, offering several mitigation suggestions, and began advising affected device manufacturers.
Collectively referred to as URGENT/11, the flaws were originally discovered by researchers at Armis, who publicly detailed their findings today in an online vulnerability summary, as well as a technical paper authored by Armis team members Ben Seri, Gregory Vishnepolsky and Dor Zusman. Seri and Zusman will also present their findings next week at the Black Hat conference in Las Vegas.
The vulnerabilities reside specifically within IPnet, VxWorks’ TCP/IP stack, and can be found in versions 7 and 6.5-6.9 of the RTOS, the eldest of which dates back to 2006, 13 years ago. Even some earlier versions are affected if they use IPnet, which originally was a standalone product of a company called Interpeak, which was later acquired by VxWorks in 2016.
“URGENT/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions,” said Armis’ online summary of the bugs. “These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks.” For this reason, Armis is drawing a comparison between URGENT/11 and the EternalBlue Windows SMB exploit that enabled the propagation of WannaCry ransomware.
Armis describes three viable attack scenarios made possible by the vulnerabilities:
- Attacking and hijacking a target’s perimeter firewalls, which allows them to compromise the rest of the network.
- Bypassing perimeter security and attacking devices with external network connections, via a man-in-the-middle attack.
- After completing one of the above two scenarios, malicious actors can then further attack additional devices that only have internal network connections. In such an instance, the attackers could potentially take down an entire industrial facility and hold it for ransom.
“Wind River has created and fully tested patches for the security vulnerabilities that were discovered in the TCP/IP stack (IPnet), a component of certain versions of VxWorks,” says an official vulnerability announcement issued by Alameda, Calif.-based Wind River. “To date, there is no indication that the vulnerabilities have been exploited. Organizations deploying devices with VxWorks are advised to patch impacted devices immediately.”
“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, VP of research at Armis, in a company news release. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations… This is why URGENT/11 is so important.”
Armis researchers believe their discoveries should serve as a wake-up call to vulnerability researcher community, which they believe has overlooked real-time operating systems for too long. (Prior to the disclosure of URGENT/11, MITRE historically has only listed 13 other CVEs for VxWorks, according to Armis.)
“Our research demonstrates why RTOS[s] should receive the same scrutiny as others have, for two major reasons. First, any software which isn’t researched maintains flaws that might have a devastating impact once discovered,” Armis states in its vulnerability summary. “Second, RTOSs are used by critical devices, due to the high level of reliability they provide. This makes the effect of any vulnerability found within them much harsher.”
The six critical RCE flaws are classified as a stack overflow (CVE-2019-12256), four memory corruption vulnerabilities (CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263), and a heap overflow (CVE-2019-12257).