Security researchers have discovered almost a dozen zero-day vulnerabilities in VxWorks, one of the most widely used real-time operating systems (RTOS) for embedded devices that powers over 2 billion devices across aerospace, defense, industrial, medical, automotive, consumer electronics, networking, and other critical industries.
According to a new report Armis researchers shared with The Hacker News prior to its release, the vulnerabilities are collectively dubbed as URGENT/11 as they are 11 in total, 6 of which are critical in severity leading to ‘devastating’ cyberattacks.
Armis Labs is the same IoT security company that previously discovered the BlueBorne vulnerabilities in Bluetooth protocol that impacted more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT).
These vulnerabilities could allow remote attackers to bypass traditional security solutions and take full control over affected devices or “cause disruption on a scale similar to what resulted from the EternalBlue vulnerability,” without requiring any user interaction, researchers told The Hacker News.
It’s likely possible that many of you might have never heard of this operating system, but Wind River VxWorks is being used to run many everyday internet-of-things such as your webcam, network switches, routers, firewalls, VOIP phones, printers, and video-conferencing products, as well as traffic lights.
Besides this, VxWorks is also being used by mission-critical systems including SCADA, trains, elevators and industrial controllers, patient monitors, MRI machines, satellite modems, in-flight WiFi systems, and even the mars rovers.
URGENT/11 — Vulnerabilities in VxWorks RTOS
The reported URGENT/11 vulnerabilities reside in the IPnet TCP/IP networking stack of the RTOS that was included in VxWorks since its version 6.5, apparently leaving all versions of VxWorks released in the last 13 years vulnerable to device takeover attacks.
All 6 critical vulnerabilities let attackers trigger remote code execution (RCE) attacks, and remaining flaws could lead to denial-of-service, information leaks, or logical flaws.
Critical Remote Code Execution Flaws:
- Stack overflow in the parsing of IPv4 options (CVE-2019-12256)
- Four memory corruption vulnerabilities stemming from erroneous handling of TCP’s Urgent Pointer field (CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263)
- Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)
DoS, Information Leak, and Logical Flaws:
- TCP connection DoS via malformed TCP options (CVE-2019-12258)
- Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)
- Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)
- DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
- IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)
All these flaws can be exploited by an unauthenticated, remote attacker just by sending a specially crafted TCP packet to an affected device without requiring any user interaction or prior information regarding the targeted device.
However, each version of VxWorks since 6.5 is not vulnerable to all 11 flaws, but at least one critical RCE flaw affects each version of the real-time operating system.
“VxWorks includes some optional mitigations that could make some of the URGENT/11 vulnerabilities harder to exploit, but these mitigations are rarely used by device manufacturers,” the researchers say.
Armis researchers believe URGENT/11 flaws might affect devices using other real-time operating systems as well, as IPnet was used in other operating systems prior to its acquisition by VxWorks in 2006.
How Can Remote Attackers Exploit VxWorks Flaws?
The exploitation of VxWorks IPnet vulnerabilities also depends upon the location of an attacker and the targeted vulnerable device; after all, the attacker’s network packets should reach the vulnerable system.
According to the researchers, the threat surface of URGENT/11 flaws can be divided into 3 attack scenarios, as explained below:
Scenario 1: Attacking the Network’s Defenses
Since VxWorks also powers networking and security devices such as switches, routers, and firewalls that are usually reachable over the public Internet, a remote attacker can launch a direct attack against such devices, taking complete control over them, and subsequently, over the networks behind them.
For example, there are over 775,000 SonicWall firewalls connected to the Internet at the time of writing that runs VxWorks RTOS, according to Shodan search engine.
Scenario 2: Attacking from Outside the Network Bypassing Security
Besides targeting Internet-connected devices, an attacker can also attempt to target IoT devices that are not directly connected to the Internet but communicates with its cloud-based application protected behind a firewall or NAT solution.
According to the researchers, a potential attacker can use DNS changing malware or man-in-the-middle attacks to intercept a targeted device’ TCP connection to the cloud and launch a remote code execution attack on it.
Scenario 3: Attacking from within the Network
In this scenario, an attacker who already has positioned himself within the network as a result of a prior attack can launch attacks against affected VxWorks powered devices simultaneously even when they have no direct connection to the Internet.
“The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk,” said Yevgeny Dibrov, CEO and co-founder of Armis.
“A compromised industrial controller could shut down a factory, and a pwned patient monitor could have a life-threatening effect.”
“To the best of both companies knowledge, there is no indication the URGENT/11 vulnerabilities have been exploited.”
However, researchers also confirmed that these vulnerabilities do not impact other variants of VxWorks designed for certification, such as VxWorks 653 and VxWorks Cert Edition.
Armis reported these vulnerabilities to Wind River Systems responsibly, and the company has already notified several device manufacturers and released patches to address the vulnerabilities last month.
Meanwhile, affected product vendors are also in the process of releasing patches for their customers, which researchers believe will take time and be difficult, as is usually the case when it comes to IoT and critical infrastructure updates. SonicWall and Xerox have already released patches for its firewall devices and printers, respectively.