Vulnerabilities in VxWorks—a real-time operating system (RTOS) used in a variety of Internet of Things (IoT) devices—potentially allow remote attackers the ability to gain full control over an affected device, according to research from security firm Armis, published Monday.
In total, Armis discovered 11 vulnerabilities, including six critical vulnerabilities, collectively branded URGENT/11. The vulnerabilities affect VxWorks 6.5 and higher, with “any connected device leveraging VxWorks that includes the IPnet stack is affected by at least one of the discovered vulnerabilities,” according to Armis. However, this does not affect versions designed for certification, including VxWorks 653 and VxWorks Cert Edition. Wind River Systems, the vendor of VxWorks, has provided patches for the vulnerabilities.
Wind River and Armis have found “no indication the URGENT/11 vulnerabilities have been exploited.”
VxWorks is used for mission-critical systems for the enterprise, including SCADA, elevator, and industrial controllers, as well as healthcare equipment including patient monitors and MRI scanners. It is also used for networking equipment, including that often found at the perimeter of networks, such as firewalls, routers, and satellite modems, as well as VOIP phones and printers. The vulnerabilities potentially allow hackers to traverse internal enterprise networks.
Notably, much of Huawei’s commercial networking equipment is known to run on VxWorks, as is Apple’s (now-discontinued) Airport Extreme.
SEE: Launching a career in cybersecurity: An insider’s guide (free PDF) (TechRepublic)
“VxWorks is the most widely used operating system you may never have heard of,” Ben Seri, vice president of research at Armis, said in a press release. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses. This is why URGENT/11 is so important. The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern.”
According to Armis, the URGENT/11 vulnerabilities are “the most severe vulnerabilities found in VxWorks to date,” though the company also notes that “In its 32-year history, only 13 CVEs have been listed by MITRE as affecting VxWorks.” Likewise, the IPnet stack was integrated as a result of Wind River’s acquisition of Interpeak in 2006, prior to which the IPnet stack was licensed to competing RTOS vendors. Potential exists for older embedded systems to be vulnerable—while under normal circumstances, devices from this long ago would have reached End-of-Life, this is not a guarantee for embedded systems.
Likewise, Armis claims that the potential risk from URGENT/11 could “cause disruption on a scale similar to what resulted from the EternalBlue vulnerability.”
Vendors of systems utilizing VxWorks should view the vulnerability information on Wind River’s website for patching instructions, likewise, users of products that are powered by VxWorks should check with their vendor for firmware updates.
For more, check out “How WannaCry is still launching 3,500 successful attacks per hour” and “83% have experienced a DDoS attack in the past two years, survey finds” on TechRepublic.
Update: A previous version of this article included Drobo products as using VxWorks. Wind River Systems has touted Drobo in the past as a customer success story, though a representative from Drobo indicated that the networking stack—the vulnerable component detailed in this article—was not used in Drobo products.