URGENT/11 VxWorks vulnerabilities affect millions of devices
Researchers and developer Wind River disagree over how many devices and users are at risk from the URGENT/11 vulnerabilities in the VxWorks real-time operating system.
Security researchers disclosed 11 flaws in the VxWorks real-time operating system, but VxWorks developer Wind River Systems disagreed with researchers on the potential risks of the issues.
Researchers for Armis Labs discovered the VxWorks vulnerabilities -- which they dubbed URGENT/11 -- in the TCP/IP IPnet stack of the OS. VxWorks is a real-time OS embedded in 2 billion devices. The VxWorks vulnerabilities could affect more than 200 million devices, including SCADA devices, industrial controllers, patient monitors, MRI machines, firewalls, VoIP phones and printers, according to the Armis report.
"Six of the vulnerabilities are classified as critical and enable Remote Code Execution (RCE). The remaining vulnerabilities are classified as denial of service, information leaks or logical flaws. URGENT/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions," the report stated. "These devastating traits make these vulnerabilities 'wormable,' meaning they can be used to propagate malware into and within networks. Such an attack has a severe potential, resembling that of the EternalBlue vulnerability, used to spread the WannaCry malware."
Extent of the vulnerabilities under debate
According to Wind River, Armis disclosed the VxWorks vulnerabilities in March. The first patches were created and tested in May, and customers were notified in June with a security advisory. All of the fixes were released as part of VxWorks 7 on June 19. However, Arlen Baker, chief security architect for Wind River, disputed the claim that the VxWorks vulnerabilities affected 200 million devices, saying that number "is not confirmed, nor do we believe it to be that high."
Baker wrote in a blog post, "Those impacted make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organizational networks that are non-critical and internet-facing, such as modems, routers, and printers, as well as some industrial and medical devices."
This issue could become critical for organizations that may not be aware of what they have deployed or do not have effective patch management plans in place.
Deral HeilandIoT research lead, Rapid7
When asked about the risk of enterprise networks being breached because of the VxWorks vulnerabilities, a Wind River spokesperson said, "Wind River doesn't define mission-critical devices as those found in enterprise environments, rather those found in critical infrastructure."
Deral Heiland, IoT research lead at Rapid7, said that at the very least, the six RCE vulnerabilities "are of great concern.
"I would expect that, if not all, several of these will get turned into functioning RCEs. However, not all can be exploited over the internet; one can only be exploited if attacker is on the same LAN subnet," Heiland said. "With such a large base of systems using vulnerable versions of VxWorks, this issue could become critical for organizations that may not be aware of what they have deployed or do not have effective patch management plans in place."
Craig Young, computer security researcher for the vulnerability and exposure research team at Tripwire, noted that because of the specific knowledge of VxWorks necessary, "exploits would most likely be limited to targeting a specific product with a specific range of versions as opposed to a generic canned exploit to target any device.
"Of the six critical RCE flaws, one is related to source routing IP options and four more are related to the urgent data mechanism. In more than a decade of professional experience with network security, I cannot think of a single instance where either of these technologies were being used legitimately," Young wrote via email. "Although these features are rarely used, until recently, nobody was giving much thought (publicly) to this large attack surface, and on the development side, nobody wants to be the one who broke backward compatibility."
The Armis researchers also pointed out that the most severe of the VxWorks vulnerabilities "abuse esoteric parts of the TCP/IP stack that are almost never used by legitimate applications."
A Wind River spokesperson justified still including these parts by saying, "VxWorks provides broad support for an extremely large and diverse customer base across industries, so we must provide these esoteric parts of the TCP/IP Stack."
The importance of patch management
Armis noted that patches are available for SonicWall firewalls and Xerox printers.
When asked about ways to find vulnerable devices and the difficulty in patching, Wind River said, "Modern-day cybersecurity procedures require the majority, if not all, of our customers to have procedures in place, including those of patch management.
"All patches require testing from both a functional and performance perspective and then will align to the specifics that the device operates in," a Wind River spokesperson said. "Just like in enterprise environments, embedded devices can be scheduled ahead of time to be taken offline to be updated."
Heiland added that fixing the VxWorks vulnerabilities will likely be more difficult "for organizations that do not have effective security, patch and vulnerability management programs in place.
"Organizations that do have programs should be able to leverage their current vulnerability scanning solutions to identify current VxWorks operating systems that are potentially vulnerable," Heiland said. "For those that do not have solid security programs in place, here is the perfect opportunity for them to start developing an effective enterprise-wide security management approach for IoT and embedded technology."
Armis researchers Ben Seri and Dor Zusman will present the research behind the URGENT/11 VxWorks vulnerabilities and provide demonstration exploits at the Black Hat 2019 conference in Las Vegas on Aug. 8.
