Stories
Slash Boxes
Comments

SoylentNews is people

Oh Sh*t's, 11: VxWorks Stars in Today's Security Thriller

posted by martyb on Wednesday July 31 2019, @09:07PM   Printer-friendly
from the reminder-that-IoT-is-security-hell dept.

upstart writes:

Submitted via IRC for Carny

Oh sh*t's, 11: VxWorks stars in today's security thriller – hijack bugs discovered in countless gadgets' network code

Wind River has patched 11 security vulnerabilities in VxWorks that can be potentially exploited over networks or the internet to commandeer all sorts of equipment dotted around the planet.

This real-time operating system powers car electronics, factory robots and controllers, aircraft and spacecraft, wireless routers, medical equipment, digital displays, and plenty of other stuff – so if you deploy a vulnerable version of VxWorks, and it is network or internet-connected, you definitely want to check this out.

This set of bugs seemingly primarily affects things like printers and gateways, we must point out.

The vulnerabilities, discovered by security outfit Armis, can be exploited to leak internal device information, crash gadgets, and – in more than half of the flaws – execute malicious code on machines. It is estimated that VxWorks runs on two billion devices as an embedded OS, though Armis reckoned 200 million gizmos are actually potentially affected. Wind River told El Reg it reckons that second figure, as an estimate, is too high.

According to Armis [PDF] today, all 11 of the vulnerabilities (dubbed Urgent/11 for marketing purposes) are found in the VxWorks TCP/IP stack, IPnet. Bear in mind, this stack can be found in non-VxWorks systems: Wind River acquired it in 2006 when it bought Interpeak, which had licensed its code to other real-time operating system makers.

As such, an attacker needs network access to a vulnerable device, either on a LAN or over the internet if for some reason the gadget is public facing. VxWorks version 6.5 or higher, released circa 2006, with IPnet is vulnerable, except VxWorks 7 SR0620, which is the latest build: it contains patches that fix the aforementioned holes, and was released on July 19 following Armis' discovery of the blunders. Safety-certified flavors of the OS, such as VxWorks 653 and VxWorks Cert Edition are said to be unaffected.

"As each vulnerability affects a different part of the network stack, it impacts a different set of VxWorks versions," Armis researchers Ben Seri, Gregory Vishnepolsky, and Dor Zusman said in a write-up. "As a group, URGENT/11 affect VxWorks' versions 6.5 and above with at least one remote code execution vulnerability affecting each version."

Should a miscreant be able to connect to a vulnerable VxWorks device, they would potentially be able to send packets that could exploit any of the six critical flaws (CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12257) to gain remote code execution, thus leading to a complete takeover of the hardware.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Oh Sh*t's, 11: VxWorks Stars in Today's Security Thriller | Log In/Create an Account | Top | 15 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by DannyB on Thursday August 01 2019, @05:10PM (3 children)

    by DannyB (5839) Subscriber Badge on Thursday August 01 2019, @05:10PM (#874146) Journal

    I still have mine. I remember deliberately having to seek out the wrt54GL. Not to be forgettin' the L.

    Linksys did not like that Linux on their hardware made their low end consumer products now compete with much higher priced devices in the $1000 price range. All on a cheap $50 plastic router. They did not like it indeed.

    Eventually many inexpensive consumer routers starting having the kind of flexibility that was possible with the WRT54GL using third party firmware.

    I'm sure Linksys did not like that. Just as IBM probably didn't like that people found out that they could upgrade their printer to the faster model by just moving a belt from one pulley to another. But move it back when an IBM field tech is coming to visit.

    --
    The people who rely on government handouts and refuse to work should be kicked out of congress.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by Revek on Tuesday August 06 2019, @12:47PM (2 children)

    by Revek (5022) on Tuesday August 06 2019, @12:47PM (#876475)

    It wasn't linksys that didn't like it. Cisco profits were threatened by linksys products. They had produced switches and routers that were setting up to be a threat to cisco's dominance at the time. Cisco bought them and cherry picked the IP for what they wanted and sold off the corpse.

    --
    This page was generated by a Swarm of Roaming Elephants

    • (Score: 2) by DannyB on Tuesday August 06 2019, @01:35PM (1 child)

      by DannyB (5839) Subscriber Badge on Tuesday August 06 2019, @01:35PM (#876499) Journal

      You're right. I had forgotten about Cisco acquiring Linksys. I was just vaguely remembering.

      --
      The people who rely on government handouts and refuse to work should be kicked out of congress.

      • (Score: 2) by Revek on Tuesday August 06 2019, @02:50PM

        by Revek (5022) on Tuesday August 06 2019, @02:50PM (#876550)

        For some reason I can remember most of details. I remember when linksys was sued over the source code of their kernel. They lost and that is the reason products like ddwrt and openwrt were developed. I'm pretty sure the FSF sued them in 2003 for the source code for their routers kernel.

        --
        This page was generated by a Swarm of Roaming Elephants