Published on July 29th, 2019 📆 | 6582 Views ⚑
0200 million enterprise, industrial, and medical devices affected by RCE flaws in VxWorks RTOS
Armis researchers have discovered 11 vulnerabilities (including 6 critical RCE flaws) in Wind River VxWorks, a real-time operating system used by more than two billion devices across industrial, medical and enterprise environments.
Collectively dubbed âUrgent11â, they are estimated to impact âSCADA systems, elevators, industrial controllers, patient monitors and MRI machines, as well as firewalls, routers, âsatellite modems, VOIP phones and printersâ.
About Wind River VxWorks
VxWorks is a real-time operating system (RTOS), i.e., an OS that processes data and performs applicationsâ tasks within a strictly defined (extremely short) time.
This type of OS is mostly used in mission-critical devices and networking equipment, where speed, accuracy, response predictability and reliability are paramount.
âFirst released in 1987, VxWorks is one of the most mature operating systems still widely in use, and maintains a large number of its branches, due to the nature of the devices it operates and the difficulties in upgrading them,â the researchers noted.
âThe actual extent of VxWorks devices is astonishing, including Siemens, ABB, Emerson Electric, Rockwell Automation, Mitsubishi Electronic, Samsung, Ricoh, Xerox, NEC, and Arris, among others.â
About the vulnerabilities
The âUrgent11â vulnerabilities (CVE-2019-12255 to CVE-2019-12262) reside in IPnet, VxWorksâ TCP/IP stack, which was acquired by Wind River through its acquisition of Interpeak in 2006.
They include six critical flaws that enable remote code execution and five that can lead to denial of service, leaking of information or errors. (More technical details are available here.)
Ben Seri, VP of Research at Armis, told Help Net Security that three of the eleven vulnerabilities have existed in the IPnet code prior to Wind Riverâs acquisition of Interpeak, but the rest of the vulnerabilities were introduced later on.
âThe IPnet networking stack is a component of some versions of VxWorks, including end-of-life (EOL) versions back to 6.5. Specifically, connected devices leveraging older standard VxWorks releases that include the IPnet stack are impacted by one or more of the discovered vulnerabilities,â said Arlen Baker, Wind River Chief Security Architect.
âThe latest release of VxWorks is not affected by the vulnerabilities, nor are any of Wind Riverâs safety-critical products that are designed for certification, such as VxWorks 653 and VxWorks Cert Edition. To date, there is no indication the Urgent/11 vulnerabilities have been exploited in the wild.â
He also noted that those impacted make up âa small subsetâ of their customer base, and primarily include enterprise devices located at the perimeter of organizational networks such as modems, routers, and printers, as well as some industrial and medical devices.
Exploitation potential
The vulnerabilities can be exploited by attackers to take control over a device situated either on the network perimeter or within it.
âEven a device that is reaching outbound to the internet could be attacked and taken over. Alternately, an attacker who has already managed to infiltrate a network can use Urgent/11 to target specific devices within it, or even broadcast an attack capable of taking over all impacted VxWorks devices in the network simultaneously,â Armis researchers shared.
âIt is important to note that in all scenarios, an attacker can gain complete control over the targeted device remotely with no user interaction required, and the difference is only in how the attacker reaches it.â
Ben Seri and Dor Zusman will âpresent the vulnerabilities at Black Hat USA 2019 and will demonstrate real-world end-to-end attacks on three VxWorks-based devices: a SonicWall firewall, a Xerox printer and a patient monitor.
According to the researchers, an attacker with an Internet connection can âlaunch a direct attack with a specially crafted TCP packet and âtake control over all Internet-connected SonicWall firewalls at once, potentially roping them into a botnet and compromising the networks behind them.
In the âattack from within the networkâ scenario, an attacker could breach all vulnerable devices at once by broadcasting malicious packets throughout the network. For example, in an industrial setting, the attacker could take control over Programmable Logic Controllers running vulnerable VxWorks versions and disrupt production.
Attack prevention and mitigation
Armis disclosed the vulnerabilities to Wind River, which created patches and disseminated them to manufacturers of affected devices in June.
SonicWall and Xerox have already pushed out security updates for their firewalls and printers; other manufacturers will surely follow.
Wind River has released a security alert that includes information about the vulnerabilities, patches and mitigation options.
The company has provided patches for previous versions of VxWorks and have released a new version (VxWorks 7 SR0620) on July 19 that includes fixes for the discovered vulnerabilities. They have also detailed built-in security features that can be leveraged to protect against the identified vulnerabilities.
Organizations are advised to check whether they have vulnerable devices on their networks, patch them and shield them via network controls as best they can. Armis researchers also advise monitoring the behavior of all vulnerable devices for indications of compromise.
âSecurity appliances can and should be used to detect any attempts using Urgent/11 vulnerabilities,â Seri noted.
âArmis will be providing guidelines on how such mitigations can be put in place â such as firewall rules, and IDS signatures. In addition, Armisâ solution is already prepared to detect any attempt to exploit Urgent/11, and also identify all devices in organizationsâ network that are using vulnerable versions of VxWorks â and drive users to update their devices.â
Additional considerations
Prior to Wind Riverâs acquisition of Interpeak, its TCP/IP stack was broadly licensed to and deployed by a number of other RTOS vendors. Since some of the discovered vulnerabilities date back prior to the acquisition, itâs possible they are still present in those deployments.
Itâs also interesting to note that prior to the discovery of these vulnerabilities, only 13 CVEs have ever been listed by MITRE as affecting VxWorks, and none as severe as these.
âVxWorksâ uncharted nature stems from the fact that it is closed sourced, making it more difficult to inspect, and the fact that it is an RTOS, which has received less attention from the research community as it does not operate consumer devices,â the researchers noted.
âWind River cares and is serious about security, but coding in a bug-free fashion is an impossible feat. For this reason it is important to research the lesser known operating systems such as VxWorks, especially when they are used so widely in over 2 billion devices,â Seri added.
âSome of the discovered vulnerabilities are very elusive, and are almost impossible to detect with automated tools. So from time to time, the work of vulnerability researchers can help uncover such vulnerabilities.â
Gloss