Defects in embedded OS Vxworks leaves an estimated 200m devices vulnerable, many of them mission-critical, “forever day” systems

Vxworks is a lightweight, thin OS designed for embedded systems; a new report from Armis identifies critical vulnerabilities (called “Urgent 11”) in multiple versions of the OS that they estimate affects 200m systems (Vxworks’ make, Wind River, disputes this figure).

The defect is network-addressable, meaning that it can be remotely exploited, and can be triggered with the sort of communications that are unlikely to be blocked by firewalls. Because of the fire-and-forget nature of embedded systems — coupled with the low-level tasks they perform, which can’t be interrupted without disrupting many higher-level processes — many of these devices will be subject to “forever day” vulnerabilities, in which they are likely to never be patched.

Wind River says that many of the affected versions of Vxworks have been end-of-lifed, and that its current OS version is not affected.

The more immediate challenge for organizations that use affected or potentially affected equipment will be to assess the risk they face. Armis researchers are presenting Urgent 11 as posing a serious and imminent threat, potentially at the scale of the Windows vulnerabilities that allowed the 2016 WannaCry worm to sow worldwide disruptions. Armis researchers are also warning that the difficulty of patching the flaws means this risk may be with us for the foreseeable future.

But the threat may very well be much smaller than that assessment. What’s more (assuming the threat is as bad as Armis says it is), it may be possible to mitigate the risk through means other than patching, such as access control lists, which restrict the devices that can connect to a vulnerable device. A better mitigation still is to remove a vulnerable device from the outside Internet altogether. Either way, people inside any organization using devices running VxWorks should make it a priority to do a deep dive on Urgent 11 so they can understand the risk it poses.

200 million devices—some mission-critical—vulnerable to remote takeover [Dan Goodin/Ars Technica]