Armis Researchers Disclose Flaws in VxWorks Operating System
Security researchers with security vendor Armis have disclosed 11 different zero-day vulnerabilities within VxWorks, a real-time operating system used in some 2 billion embedded systems that include medical devices, routers, VOIP phones and even mission-critical infrastructure equipment, the company detailed on Monday.
This collection of vulnerabilities, which Armis calls “Urgent//11,” could lead to remote code execution and allow an attacker to take over a whole system without interacting with the user. Of the 11 flaws, six are deemed critical, according to the research released Monday.
VxWorks is a widely-used real-time operating system that is owned and maintained by Wind River, headquartered in California. Unlike Microsoft Windows or Linux, these types of operating systems are found in various embedded and internet of things systems and typically process data quickly and allow for a high-degree of reliability.
Armis, a California-based firm that focuses on IoT security, is working with Wind River, which acquired VxWorks in 2006, to identify all the vulnerabilities and create fixes for users. So far, none of these flaws have been exploited in the wild but the sheer number of affected systems should make patching of these devices an urgent matter, the two companies say.
VxWorks has been deployed across different markets for more than 30 years and is still used in numerous embedded systems and IoT devices, including mission critical supervisory control and data acquisition systems, such as elevator and industrial controllers, as well as patient monitors, MRI machines, firewalls, routers, modems, VOIP phones and printers, according to Wind River.
“None of the devices that contain Urgent/11 vulnerabilities can be protected by traditional security agents, and this is a problem for many IoT and unmanaged devices,” Ben Seri, vice president of research at Armis, tells Information Security Media Group. “Moreover, many of the impacted devices are sensitive devices that are used in industrial, manufacturing, or healthcare delivery environments; scanning or probing these devices with a traditional network vulnerability scanner is unwise because those actions are likely to disrupt or crash the devices.”
In addition to a blog post, Armis released a a technical white paper about its research and the company’s researchers, Seri and Dor Zusman, plan to discuss their findings in-depth at the Black Hat security conference in August.
Since Wind River acquired VxWorks 13 years ago from a company called Interpeak, there have been numerous versions of the real-time operating system, and in most cases these types of embedded operating systems are overlooked by researchers, according to Armis.
It’s one reason why these 11 different vulnerabilities have lasted so long without anyone taking notice of them until now, the researchers note. And since the software is used in billions of devices, the types of security problems these flaws can cause are numerous.
This is one of the main concerns when it comes to IoT and embedded device security, Seri says.
“Unfortunately, real-time operating systems have not been researched as thoroughly as most consumer operating systems have, and VxWorks is not the only widely used RTOS,” Seri says. “So many more vulnerabilities might be lurking in these uncharted territories. On the other hand – there is a growing awareness of the various embedded systems, and on the various security risks they might have. So we are on the right track.”
All 11 vulnerabilities disclosed by Armis are found within VxWorks’ transmission control protocol/Internet protocol (TCP/IP), which is also called the IPnet. This the protocol that these devices use to connect to the public internet, according to the researchers. If attackers can exploit one of these vulnerabilities, it would allow them to circumvent network address translation and firewall protection and take control of a device remotely with no user interaction needed, according to Armis.
Armis does note that only the six vulnerabilities deemed critical can lead to remote code execution. The other five, while not as dangerous, can still cause problems including denial or service attacks, data leaks and logical errors, the researchers say.
What also makes the vulnerabilities deemed critical a security concern is that the Armis researchers found that since flaws do not require user interaction, an exploit using remote code execution could spread malware from one vulnerable device to another within a network in the same way that the WannaCry ransomware and a newer Windows vulnerability called BlueKeep are both “wormable” (see: Sophos Proof-of-Concept Exploit Shows Dangers of BlueKeep).
The full list of vulnerabilities can be found on Wind River’s security site.
The URGENT/11 vulnerabilities affect all versions of the VxWorks software starting with the 6.5 release. The flaws, however, do not affect products designed for certification – such as VxWorks 653 and VxWorks Cert Edition – which are used by selected industries such as transportation, according to Armis.
Time to Patch
Since Armis researchers disclosed the 11 vulnerabilities to Wind River before publishing its findings on Monday, the company’s security team has prepared and published a number of patches to fix the vulnerabilities.
“Important to note, not all vulnerabilities apply to all impacted versions,” Arlen Baker, chief security architect with Wind River, wrote in a blog post published Monday. “To date, there is no indication the Urgent/11 vulnerabilities have been exploited in the wild. Organizations deploying devices with impacted versions of VxWorks that have the IPnet networking stack should patch impacted devices immediately.”
The two companies, however, disagree with how many embedded devices and systems are affected by the 11 zero-day vulnerabilities.
Both companies do agree that there are more than 2 billion devices running the VxWorks real-time operating systems. While Armis researchers note that there about 200 million devices running the versions of the operating system that contain these flaws, Baker writes that the total number hasn’t been confirmed and is likely not as high as 200 million devices and systems.
The Wind River security bulletin also notes that older version of the VxWorks are now at end-of-life, so devices that use these versions should be upgrading to more current versions of the software.