Vxworks is a lightweight, thin OS designed for embedded systems; a new report from Armis identifies critical vulnerabilities (called “Urgent 11”) in multiple versions of the OS that they estimate affects 200m systems (Vxworks’ make, Wind River, disputes this figure).
The defect is network-addressable, meaning that it can be remotely exploited, and can be triggered with the sort of communications that are unlikely to be blocked by firewalls. Because of the fire-and-forget nature of embedded systems — coupled with the low-level tasks they perform, which can’t be interrupted without disrupting many higher-level processes — many of these devices will be subject to “forever day” vulnerabilities, in which they are likely to never be patched.
Wind River says that many of the affected versions of Vxworks have been end-of-lifed, and that its current OS version is not affected.
The more immediate challenge for organizations that use affected or potentially affected equipment will be to assess the risk they face. Armis researchers are presenting Urgent 11 as posing a serious and imminent threat, potentially at the scale of the Windows vulnerabilities that allowed the 2016 WannaCry worm to sow worldwide disruptions. Armis researchers are also warning that the difficulty of patching the flaws means this risk may be with us for the foreseeable future.
But the threat may very well be much smaller than that assessment. What’s more (assuming the threat is as bad as Armis says it is), it may be possible to mitigate the risk through means other than patching, such as access control lists, which restrict the devices that can connect to a vulnerable device. A better mitigation still is to remove a vulnerable device from the outside Internet altogether. Either way, people inside any organization using devices running VxWorks should make it a priority to do a deep dive on Urgent 11 so they can understand the risk it poses.
200 million devices—some mission-critical—vulnerable to remote takeover [Dan Goodin/Ars Technica]
David Tinley developed complex spreadsheets under contract to Siemens, which used them to manage its equipment orders; Tinley hid “logic bombs” in the spreadsheets’ scripts that caused them to malfunction every couple of years, which would gin up new work for him as he was called in to fix them.
The $5 billion FTC fine isn’t the only fine Facebook must pay.
Proposals to ban working cryptography were all the rage in the Clinton years, but then they fell out of vogue for a decade, only to come roaring back in the form of bizarre proposals each stupider than the last, with Australia bringing home the gold in the Dumbfuck Olympics.
The field of internet technology is wide open, for those who know their way around it. And with the infrastructure that drives it changing every day, the best way to learn is to dive right in – with a credible guide, of course. Here are 8 online courses in IT, networking and security that will […]
Hey, we get it. Not everybody’s a master chef – or even a chef. And when all you see on the recipe is prep time, cooking even the simplest meals can seem like a hassle. But trust us, the simple act of dicing up some fresh veggies can make you feel in control of your […]
Virtual Private Networks can make the internet a much safer place, but that’s not all. They can offer freedom from local content restrictions, anonymity and even protection from popup ads – and a really good one will do all that while still keeping you surfing at top speed. Before you go browsing the web, browse […]