Eleven vulnerabilities have been found in the Wind River VxWorks real time operating system (RTOS). Six of these security flaws are classed as critical. The vulnerabilities allow complete remote takeover without any user action, and affect critical devices in critical industries.
VxWorks is widely used in mission critical systems. Researchers at IoT security firm Armis have named the vulnerabilities collectively as ‘Urgent/11‘. Ben Seri, vice president of research at Armis, commented “A wide variety of industries rely on VxWorks to run their mission-critical devices in their daily operations — from healthcare to manufacturing and even security businesses. This is why Urgent/11 is so important. The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern.”
Wind River’s website shows that VxWorks users include aerospace (Boeing, NASA JPL, Northrop Grumman, BAE and more), Industrial (Rockwell Automation, OMRON, Mitsubishi Electric, Toshiba and more), motor (Ford, Bosch Motorsport, Clarion, Hyundai MOBIS and more), and medical firms such as Olympus and Varian Medical Systems.
“A compromised industrial controller,” reports Armis Labs, “could shut down a factory, and a pwned patient monitor could have a life-threatening effect.”
The vulnerabilities exist in the VxWorks IPnet stack, and any connected device that leverages VxWorks’ IPnet stack will be affected by at least one of the vulnerabilities. All standard versions of VxWorks released since 2006, when Wind River acquired IPnet through the acquisition of Interpeak, are affected. However, the problem may go beyond VxWorks since some of the vulnerabilities were already present when Wind River acquired the product, and Interpeak licensed its IPnet stack to other real-time operating system vendors.
“Urgent11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected,” warns Yevgeny Dibrov, CEO and co-founder of Armis. “The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk.”
Affected devices include, but are not limited to, SCADA devices, industrial controllers, patient monitors, MRI machines, firewalls, VOIP phones, and printers.
Armis says there are three separate attack scenarios that can be used. The first is to attack vulnerable devices stationed on the perimeter of the network, such as firewalls. The SonicWall firewall is an example. According to Shodan, there are more than 808,000 SonicWall firewalls connected to the internet, with more than half of them located in the U.S. An attacker could use a specially crafted TCP packet to take control of all the firewalls simultaneously, exposing the networks they protect, and amassing a huge botnet.
The second scenario can be directed against any affected device with an external network connection, and regardless of any firewall or NAT at the perimeter. An example would be a printer, behind a firewall but connecting to the cloud (such as Google Cloud Printing). An attacker could intercept the TCP connection (regardless of TLS) using a technique like the one used by DNSpionage. The attacker could then trigger an Urgent/11 RCE flaw on the printer, and from there take over all other VxWorks devices within the network.
The third scenario follows on from the first two. “An attacker already positioned within the network as a result of a prior attack, such as the scenarios described above,” says Armis, “can send the targeted VxWorks device packets capable of taking full control over the device, with no user interaction required.” This lateral movement requires no surveillance, since the Urgent/11 flaws enable simultaneous takeover of all VxWorks devices by broadcasting malicious packets throughout the network.
Six of the vulnerabilities allow remote code execution. These comprise a stack overflow in the parsing of IPv4 options (CVE-2019-12256); four memory corruption vulnerabilities stemming from erroneous handling of TCP’s Urgent Pointer field (CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263); and a heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257).
The five remaining vulnerabilities can lead to denial of service, information leak or certain logical flaws. They comprise a TCP connection DoS via malformed TCP options (CVE-2019-12258); handling of unsolicited reverse ARP replies logical flaw (CVE-2019-12262); a logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264); DoS via NULL dereference in IGMP parsing (CVE-2019-12259); and IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265).
Armis researchers will demonstrate exploitation of these vulnerabilities at Black Hat 2019. The demonstrations will involve real-world end-to-end attacks on three VxWorks-based devices: a SonicWall firewall, a Xerox printer and a patient monitor. Armis believes that there are more than 200 million vulnerable mission-critical devices around the world. It has been working with Wind River to address the vulnerabilities. Patches were released and customers notified last month. To the best of both companies’ belief, none of the vulnerabilities have ever been exploited. VxWorks users, however, will need to ensure that all their devices have been updated to the latest patched version.
Palo Alto-based IoT security firm Armis raised $65 million in a Series C funding round led by Sequoia Capital in April 2019 — bringing the total funding raised to date to $112 million.