Experts from Armis uncovered data on 11 vulnerabilities as part of the VxWorks real-time operating system (RTOS) developed by Wind River.
The problems have been given the general name URGENT/11, and experts plan to devote a report to them at the Black Hat conference, which will be held in Las Vegas next month.“VxWorks is used by over 2 billion devices including critical industrial, medical and enterprise devices. VxWorks is the most widely used real-time operating system (RTOS) in the world. RTOSs are used by devices which require high accuracy and reliability, such as critical infrastructure, networking equipment, medical devices, industrial systems, and even spacecrafts”, — report Armis specialists.
As a result, automotive electronics, industrial robots and controllers, airplanes and space vehicles, wireless routers, printers, medical equipment, and much more, were at risk.
According to estimates of Armis experts, at least 200 million devices are vulnerable, although representatives of Wind River believe that this figure is too high.
The discovered vulnerabilities affect the operation of the TCP/IP stack (IPnet), which is used in VxWorks to connect to the Internet and other devices in local networks.
Interestingly, the IPnet stack was acquired by Wind River along with the purchase of Interpeak in 2006, which means that it is not exclusive to VxWorks, and was previously licensed and used by other RTOS vendors.
Read also: IS researchers published a PoC code for critical vulnerabilities in Palo Alto Networks firewalls
All VxWorks versions starting from version 6.5 (that is, all versions released over the past 13 years and including IPnet) are vulnerable to URGENT/11 problems. Vulnerabilities do not apply only to versions VxWorks 653 and VxWorks Cert Edition.
The researchers divided the problems found into two groups. The first group includes critical bugs that allow executing arbitrary code on vulnerable devices (CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263 and CVE-2019-12257). The second group combined less dangerous problems that could lead to a denial of service (CVE-2019-12258, CVE-2019-12259), logical errors (CVE-2019-12264, CVE-2019-12262), or information leakage (CVE-2019-12265).
“As each vulnerability affects a separate part of the network stack, each of them affects a different set of versions of VxWorks”, – explain Armis experts.
In addition, some vulnerabilities can be used directly via the Internet, while others require an attacker to penetrate the local network. Respectively, operational scenarios of the problems are very different.
For example a corporate firewall or a router with VxWorks on board in case of a hack can provide attackers with access to all devices on the local network. However, similar vulnerability of industrial PLC is less dangerous, since PLC is usually not connected to the Internet all the time. According to experts from Armis and Wind River, URGENT/11’s vulnerabilities are particularly dangerous for network equipment (routers, modems and firewalls), while medical and industrial devices are mostly not directly accessible via the Internet and are relatively secure.
How to protect devices?
Armis and Wind River jointly prepared fixes for all problems found, and patches were released last month. Additionally, the developers emphasize that they did not find any evidence that someone had exploited these vulnerabilities before.
Below you can see a demonstration of several PoC-exploits in action. Researchers showed hacking the Sonicwall firewall, attacking the Xerox printer and intercepting control over the device to monitor the patient’s condition.
