VxWorks Zero-Days Put Internet at Risk

Security researcher Armis Labs has discovered 11 zero-day vulnerabilities in a real-time operating system that underpins many of the world’s industrial and enterprise devices. Called URGENT/11, the package of security bugs include six critical flaws that allow remote code execution (RCE). The bugs affect devices including SonicWall firewalls and Xerox printers.

VxWorks is an embedded operating system from Wind River that powers over two billion connected devices. You'll find it in everything from SCADA-based industrial equipment operated by utilities through to medical equipment.

All the bugs are in the operating system’s TCP/IP stack, called IPnet, which Wind River purchased from Interpeak in 2006. Aside from the RCE flaws, the others include denial of service, information leaks, and logical bugs. They affect versions since 6.5, with the exception of versions specifically designed for safety certification (VxWorks 653 and VxWorks CERT Edition).

That represents 13 years of bugs, doubling the number of CVEs that VxWorks has suffered in its 32-year history. Armis Labs explains that these bugs haven’t been addressed before because the VxWorks source code is proprietary, making it hard for anyone to look at it.

The danger of these bugs is that they are wormable, according to Armis Labs. By attacking a firewall or a printer running the operating system, the appropriate malware could then instruct it to infect everything else it finds running the operating system on the network.

The researchers’ description of the bug lays out a chilling example. Attackers could launch a direct attack with a specially crafted TCP packet and take control of all SonicWall firewalls at once, they said. This would create a massive botnet that also compromises all the networks that the firewalls protect.

Armis Labs followed responsible disclosure rules and told Wind River first, which has released patches for the bugs. The researchers will present their findings at Black Hat next week.

The big problem will be patching the bugs, because industrial, medical and SCADA-based devices are notoriously difficult to update. Firstly, they often support critical processes, making it difficult to introduce downtime. Second, many devices run on control networks rather than administrative ones, which usually have far less frequent patch cycles. A lot of these devices are built to last for many years, and companies want to refresh them quickly. Hopefully, enterprise admins will lead the charge and patch now, while industrial and medical device owners will get up to speed as quickly as possible.

What’s Hot on Infosecurity Magazine?