Armis, an enterprise IoT security company and recent winner of the IoT Evolution Product of the Year Award, recently announced its discovery of 11 zero-day vulnerabilities, 6 reportedly critical, that affect Wind River (News - Alert) VxWorks versions since version 6.5, that include the IPnet stack, collectively known as “URGENT/11.” Updated releases have been provided. URGENT/11 does not impact versions of the product designed for certification, such as VxWorks 653 and VxWorks Cert Edition, Armis said.
Wind River has been working in collaboration with Armis on this matter, and customers were notified and issued patches to address the vulnerabilities last month. To the best of both companies knowledge, there is no indication the URGENT/11 vulnerabilities have been exploited.
VxWorks real-time operating system (RTOS) is used in more than two billion devices across industrial, medical and enterprise environments such as mission-critical systems including SCADA, elevator and industrial controllers, patient monitors and MRI machines, as well as firewalls, routers, modems, VOIP phones and printers. If exploited, URGENT/11 could allow a complete takeover of the device and cause disruption on a scale similar to what resulted from the EternalBlue vulnerability. For a detailed report on URGENT/11, click here.
“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, VP, research, Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses. This is why URGENT/11 is so important. The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern.”
URGENT/11 reportedly includes six Remote Code Execution (RCE) vulnerabilities that could give an attacker full control over a targeted device, via unauthenticated network packets. Any connected device leveraging VxWorks that includes the IPnet stack is affected by at least one of the discovered vulnerabilities. They include some devices that are located at the perimeter of organizational networks that are internet-facing such as modems, routers and firewalls. Any vulnerability in such a device may enable an attacker to breach networks directly from the internet. Devices protected by perimeter security measures also can be vulnerable once the devices create TCP connections to the internet. These connections can be hijacked and used to trigger the discovered TCP vulnerabilities, allowing attackers to take over the device and access the internal network.
“URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected,” said Yevgeny Dibrov, CEO and co-founder, Armis. “The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk.”
VxWorks is pervasive and trusted due to its rigorous and high-achieving safety certifications and its high degree of reliability and real-time accuracy. In its 32-year history, only 13 Common Vulnerabilities and Exposures (CVEs) have been listed by MITRE as affecting VxWorks. Armis discovered unusually low-level vulnerabilities within the IPnet stack affecting these specific VxWorks versions released in the last 13 years, from versions 6.5 and above. These are the most severe vulnerabilities found in VxWorks to date.
The IPnet networking stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of real-time operating system vendors.
Ben Seri and Dor Zusman, security researcher at Armis will present the exploration of the URGENT/11 vulnerabilities at Black Hat 2019 in Las Vegas on Thursday, August 8, 2019. The talk will also include a demonstration of real-world end-to-end attacks on VxWorks-based devices including a firewall and printer.
Organizations deploying devices with VxWorks should patch impacted devices immediately. More information can be found in the Wind River Security Alert posted on the company’s Security Center.