Serious and exploitable security flaws in VxWorks, a commonly used operating system for embedded devices, span 13 years and could leave hundreds of millions* of connected devices vulnerable to remote cyber attacks and hacks.
The security firm Armis on Monday published a warning about 11 critical, zero day vulnerabilities in the VxWorks operating system, which is owned and managed by the firm Wind River. The vulnerabilities expose more than 200 million devices and could allow attackers to remotely take control of everything from networked printers and security appliances to industrial and medical devices, according to Ben Seri, the Vice President of Research at Armis.
Move over, EternalBlue!
At least a couple of the flaws were described as “more serious” than EternalBlue, the Microsoft Windows flaw that powered both the WannaCry and NotPetya malware outbreaks. SCADA and industrial control system devices, healthcare devices like patient monitors and MRI machines, as well as networking equipment, networked printers and VOIP phones are all potentially vulnerable to the flaws, Armis said in a blog post Monday.
Six of the 11 flaws discovered by Armis are so-called “remote code execution” or “RCE” flaws, which are considered among the most dangerous kinds of software hole, as they allow remote attackers to place and execute their own code on vulnerable devices. The remaining flaws are a mix of denial of service flaws, information leak vulnerabilities and other lower risk security holes.
All versions of VxWorks beginning with version 6.5 onward are affected by the flaws, which were found in the operating system’s implementation of the TCP/IP networking stack: a critical component that is used by any networked device running VxWorks, according to Seri. “Any device that is built upon this operating system that has networking capabilities and that is using an impacted version of VxWorks will be impacted by this vulnerability.”
The flaws discovered by Armis are not new; VxWorks Version 6.5 was released in 2007.
The risk to organizations is considerable. Armis claims that, collectively, the Urgent/11 flaws can be used to target a vulnerable VxWorks device regardless of whether it sits on the network perimeter or behind it. The flaws can enable remote attacks that could take complete control over a targeted device with no user interaction required. Depending on the attack, hackers may be able to use the flaws to bypass perimeter security as well as NAT (network address translation) solutions that can mask the location of IT assets to outside attackers.
Old features can still bite
Flaws in TCP/IP implementations were common in consumer operating systems in the 1990s but have become rare. However, VxWorks obscurity means that bugs that appeared in the operating system may have lingered.
“Through mutually embraced Responsible Disclosure, Wind River has been working closely with Armis to ensure customers were notified and provided remediation. This shared, collaborative process was designed and executed to help device makers mitigate any potential risk to their users,” said Arlen Baker, chief security architect, Wind River in a statement.
Despite being one of the most widely used operating system, VxWorks has not been extensively researched, Seri told The Security Ledger. “Normally when you have an operating system that is used in 2 billion devices, the name of it and how it is being used are well known. But VxWorks is a bit in the shadows, perhaps because it is not used in consumer devices as Windows and Android are,” he said.
While TCP/IP is ubiquitous, not all features of the TCP/IP networking stack are commonly used and many have been largely abandoned. However, VxWorks, which was first released in the late 1980s, includes support for many of these legacy features. The flaws discovered by Armis were mostly found in these largely abandoned and overlooked parts of the TCP/IP stack, Seri said.
Among the affected features is one known as “Urgent Pointer,” which allows an application using TCP to process and forward any data that must be dealt with immediately, without the data having to sit in a send queue for processing. The feature was used in applications like Telnet and FTP in the 1990s, but is no longer commonly used. Four of the remote code execution vulnerabilities were found in the Urgent Pointer feature, thus the name “Urgent/11.” In the IP layer, Armis found a hole in the IP parsing of source routing options. The feature is not used and is blocked by many routers because of prior security holes associated with it, but could be leveraged by an attacker on the same network as a VxWorks device, he said.
The flaws do not affect specialized versions of VxWorks including VxWorks Certified and VxWorks 653. That is because those versions, which are designed for use in high risk applications such as automotive and aviation, have disabled unneeded TCP/IP functions as part of efforts to harden the operating system from attack, Armis said. Still, many safety and life critical devices use standard versions of VxWorks that have not been hardened, including many life sciences and life sustaining medical devices, he said.
A long road to patches
Wind River acquired the TCP/IP networking stack used in VxWorks with the purchase of a company called Interpeak in 2006. The software, known as IPnet, was licensed by Interpeak to other software makers prior to 2006, however, so the Urgent/11 flaws may not be limited to the VxWorks platform.
“We know three of the vulnerabilities existed in the source code that was purchased by VxWorks with Interpeak in 2006,” Sims told The Security Ledger.
Armis worked with Wind River to address the flaws. That company has released patches for all of the Urgent/11 security holes. However, those patches will need to be incorporated into firmware updates from original equipment manufacturers (OEMs) and other software vendors. And, with a wide range of vendors affected including Siemens, ABB, Emerson Electric, Rockwell Automation, Mitsubishi Electronic, Samsung, Ricoh, Xerox, NEC and GE, it could take months before customers who own affected VxWorks devices have access to a patch for the flaws.
Seri and Dor Zusman, a security researcher at Armis, will present the Urgent11 vulnerabilities at Black Hat 2019 in Las Vegas on Thursday, August 8, 2019. Their talk will demonstrate attacks on three VxWorks-based devices including a Sonicwall firewall, a Xerox network printer and a medical device. A full report detailing the flaws is available here.
This isn’t the first time that a serious security hole in so-called “Realtime Operating Systems” (RTOS) has generated alarm.
A serious security hole in the MQX RTOS made by the firm NXP Semiconductors prompted a warning from the Department of Homeland Security Industrial Control System Cyber Emergency Response Team (ICS-CERT) in late 2017. In October 2018, a number of serious flaws were discovered in FreeRTOS, an open source Internet of Things operating system that is used by Amazon.com, among others.
(*) Correction: an earlier version of this story claimed that billions of devices were affected by the Urgent/11 flaws. Two billions devices run the VxWorks operating system but Armis estimates that some 200 million devices are affected by the flaws. The story has been updated to reflect the correct number of affected VxWorks devices.