200 Million Devices Vulnerable to Remote Takeover Via VxWorks Flaw
July 31, 2019 - About 200 million operating on the VxWorks platform, including medical equipment and IoT devices, are vulnerable to remote takeover due to 11 critical vulnerabilities, according to Armis research.
Released today, the alert from Armis outlines a group of vulnerabilities in the VXWorks operating system: a real-time, secure platform found in nearly 2 billion continuous functioning devices. It’s a common choice for IoT and industrial control systems.
In March, Armis researchers notified VxWorks developer WindRiver that vulnerabilities found in the operating system’s networking protocols put those devices at risk to attack. Six of the flaws could provide a hacker with remote device access or allow for a wormable exploit that could proliferate to other vulnerable devices on the network.
Wormable threats raise alarms given hallmarks it shares with the 2017 WannaCry attack, which crippled systems around the world, including the UK National Health Service. Microsoft and the Department of Homeland Security recently alerted to a potential wormable threat found in the remote desktop protocol of several legacy platforms.
For VxWorks, the “urgent” flaw is found in versions as old as the 2006 6.5 OS, as well as the IPnet, VxWorks’ TCP/IP stack, including versions from the last 13 years.
READ MORE: NSA Joins Call to Patch RDP Flaw, Researcher Demos Windows Exploit
To researchers, the flaw is a rare example of OS vulnerabilities, as just 13 CVEs have been listed by MITRE as affecting VxWorks, and none have impacted the core networking stack as severely as the flaw outlined today.
“Vulnerabilities in widely used implementations of TCP/IP stacks have become extremely rare in recent years, especially those that can enable remote code execution on target devices,” the researchers wrote.
“This type of vulnerability represents the holy grail for attackers, since they do not depend on the specific application built on top of the vulnerable stack and only require the attacker to have network access to the target device, which makes them remotely exploitable by nature,” they added.
Further, these flaws can also be used to bypass firewall and NAT solutions, allowing hackers to hide within “innocent-looking TCP traffic.”
The researchers also found five vulnerabilities that could lead to denial-of-service, logical errors, or information leaks.
READ MORE: Nearly 1 Million Windows Devices Vulnerable to BlueKeep RDP Flaw
One attack scenario impacts any VxWorks device stationed at the network perimeter and directly exposed to the internet, such a firewalls, modems, and routers. A hacker could directly attack these devices from the internet, compromise them, and then proliferate across the network.
Another scenario affects VxWorks devices stationed behind the perimeter or inside an internal network, which connects outbound to the internet through the firewall or NAT solutions. The flaw could allow a hacker to take over the device by intercepting TCP connections the attack creates through the inter and manipulating certain field of the TCP header in packets sent through firewall or NAT solutions.
Researchers noted the scenario is made possible by the flaw’s low-level position inside the parsing and handling of the TCP header.
Lastly, the third scenario would allow a hacker already active within the network as the result of prior attack to send specially crafted broadcasted IP packet that could spread to all vulnerable VxWorks devices within the local LAN at once.
“This is due to a very unique vulnerability found in the parsing and handling the IP header, that is triggered even in broadcast,” researchers explained. “This vulnerability is also an RCE vulnerability that can lead to remote take over.”
READ MORE: DHS Alerts to Remote Vulnerabilities in Multiple VPN Applications
“The wide range of affected versions spanning over the last 13 years is a rare occurrence in the cyber arena and is the result of VxWorks’ relative obscurity in the research community,” researchers wrote. “This timespan might be even longer, as according to Wind River, three of the vulnerabilities have already existed in IPnet when it was acquired from Interpeak in 2006.”
Wind River officials said the vulnerabilities do not affect the latest VxWorks platforms. They’ve created and unit-tested a patch for these vulnerabilities, which have been provided to customers. Further, Wind River worked closely with Armis to disclose these flaws to customers to help device makers mitigate potential risks to users.
As for the 13-year time span, Wind River officials noted that it’s challenging to find code vulnerabilities and individuals will attack code in ways not anticipated. It’s also not uncommon for vulnerabilities to go undetected for long periods of time, such as the SPECTRE and Meltdown variants that went undetected for nearly 10 years.
“Modern software systems are complex with very rich functionality and large code bases written over many years with a constantly advancing awareness of secure programming and constantly increasing levels of scrutiny,” Wind River officials wrote.
As the healthcare sector struggles with patching and with fully understanding just how many IoT and other devices are active on their network, the Armis research should be made a top priority. Even without the new VxWorks vulnerabilities, much of the sector’s devices still operate on legacy platforms.
Inventory, patching, system updates, and visibility into the network through automation will be crucial to closing these security gaps that could potentially put patient safety at risk.
Gloss