Oh sh*t's, 11: VxWorks stars in today's security thriller – hijack bugs discovered in countless gadgets' network code

Wind River has patched 11 security vulnerabilities in VxWorks that can be potentially exploited over networks or the internet to commandeer all sorts of equipment dotted around the planet.

This real-time operating system powers car electronics, factory robots and controllers, aircraft and spacecraft, wireless routers, medical equipment, digital displays, and plenty of other stuff – so if you deploy a vulnerable version of VxWorks, and it is network or internet-connected, you definitely want to check this out.

This set of bugs seemingly primarily affects things like printers and gateways, though, we must point out.

The vulnerabilities, discovered by security outfit Armis, can be exploited to leak internal device information, crash gadgets, and – in more than half of the flaws – execute malicious code on machines. It is estimated that VxWorks runs on two billion devices as an embedded OS, though Armis reckoned 200 million gizmos are actually potentially affected. Wind River told El Reg it reckons that second figure, as an estimate, is too high.

According to Armis [PDF] today, all 11 of the vulnerabilities (dubbed Urgent/11 for marketing purposes) are found in the VxWorks TCP/IP stack, IPnet. Bear in mind, this stack can be found in non-VxWorks systems: Wind River acquired it in 2006 when it bought Interpeak, which had licensed its code to other real-time operating system makers.

As such, an attacker needs network access to a vulnerable device, either on a LAN or over the internet if for some reason the gadget is public facing. VxWorks version 6.5 or higher, released circa 2006, with IPnet is vulnerable, except VxWorks 7 SR0620, which is the latest build: it contains patches that fix the aforementioned holes, and was released on July 19 following Armis' discovery of the blunders. Safety-certified flavors of the OS, such as VxWorks 653 and VxWorks Cert Edition are said to be unaffected.

"As each vulnerability affects a different part of the network stack, it impacts a different set of VxWorks versions," Armis researchers Ben Seri, Gregory Vishnepolsky, and Dor Zusman said in a write-up. "As a group, URGENT/11 affect VxWorks’ versions 6.5 and above with at least one remote code execution vulnerability affecting each version."

Should a miscreant be able to connect to a vulnerable VxWorks device, they would potentially be able to send packets that could exploit any of the six critical flaws (CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12257) to gain remote code execution, thus leading to a complete takeover of the hardware.

Obviously, the seriousness of the exploit would depend on the device itself and where it sits on the network. External-facing devices like firewalls and routers could be pwned to act as the springboard for a larger attack, or embedded devices like industrial appliances could be exploited to cause physical damage.

Additionally, a hacker could cause a denial of service via two of the bugs (CVE-2019-12258, CVE-2019-12259), leak information (CVE-2019-12265), or tamper with devices through logic flaws (CVE-2019-12264, CVE-2019-12262).

Wind River is advising folks to update their installations to protect against exploits, though none have been reported in the wild so far – which is good news because VxWorks-powered equipment typically runs constantly in critical functions where sudden outages for upgrades are most unfavorable. Also, you can't just push firmware updates out to machinery and hope for the best: new builds have to go through rounds of testing first.

"In addition to the difficulty in identifying which devices run VxWorks, device manufacturers are also faced with a challenge to provide firmware upgrades within a reasonable time," the Armis researchers noted. "Many VxWorks devices, such as medical and industrial devices, are required to go through extensive testing and certification processes before firmware updates can be provided to end-users."

A spokesperson for Wind River told The Register VxWorks "has built-in security features that protect against the vulnerabilities when enabled," meaning it's quite possible at-risk devices will automatically thwart exploit attempts using defenses such as non-executable stacks – if enabled, of course. It is also possible to firewall off VxWorks-powered equipment from the rest of the network or world, of course.

They added that vulnerable machines likely "make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organizational networks that are internet-facing such as modems, routers, and printers."

There's more info over here in an FAQ from Wind River. ®