Oh sh*t's, 11: VxWorks stars in today's security thriller – hijack bugs discovered in countless gadgets' network code
Wind River has patched 11 security vulnerabilities in VxWorks that can be potentially exploited over networks or the internet to commandeer all sorts of equipment dotted around the planet.
This real-time operating system powers car electronics, factory robots and controllers, aircraft and spacecraft, wireless routers, medical equipment, digital displays, and plenty of other stuff – so if you deploy a vulnerable version of VxWorks, and it is network or internet-connected, you definitely want to check this out.
This set of bugs seemingly primarily affects things like printers and gateways, we must point out.
The vulnerabilities, discovered by security outfit Armis, can be exploited to leak internal device information, crash gadgets, and – in more than half of the flaws – execute malicious code on machines. It is estimated that VxWorks runs on two billion devices as an embedded OS, though Armis reckoned 200 million gizmos are actually potentially affected. Wind River told El Reg it reckons that second figure, as an estimate, is too high.
According to Armis [PDF] today, all 11 of the vulnerabilities (dubbed Urgent/11 for marketing purposes) are found in the VxWorks TCP/IP stack, IPnet. Bear in mind, this stack can be found in non-VxWorks systems: Wind River acquired it in 2006 when it bought Interpeak, which had licensed its code to other real-time operating system makers.
As such, an attacker needs network access to a vulnerable device, either on a LAN or over the internet if for some reason the gadget is public facing. VxWorks version 6.5 or higher, released circa 2006, with IPnet is vulnerable, except VxWorks 7 SR0620, which is the latest build: it contains patches that fix the aforementioned holes, and was released on July 19 following Armis' discovery of the blunders. Safety-certified flavors of the OS, such as VxWorks 653 and VxWorks Cert Edition are said to be unaffected.
"As each vulnerability affects a different part of the network stack, it impacts a different set of VxWorks versions," Armis researchers Ben Seri, Gregory Vishnepolsky, and Dor Zusman said in a write-up. "As a group, URGENT/11 affect VxWorks' versions 6.5 and above with at least one remote code execution vulnerability affecting each version."
Should a miscreant be able to connect to a vulnerable VxWorks device, they would potentially be able to send packets that could exploit any of the six critical flaws (CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12257) to gain remote code execution, thus leading to a complete takeover of the hardware.
(Score: 2) by Revek on Wednesday July 31, @09:39PM
We never give them a public IP address. Most VxWorks devices scare the crap out of you due to really poor documentation. Most of our equipment is Motorola now arris and they are only accessible from the management network due to sporadic updates and what I can only label as piss poor support.
(Score: 3, Informative) by bzipitidoo on Wednesday July 31, @09:40PM
My only experience with VxWorks was with the highly regarded Linksys WRT54G router. I bought one, knowing that it ran Linux and had a great reputation. But unknown to me at that time, Linksys had just massively changed their router. What I was expecting was what they called revision 4. What I got was revision 5, and it was a total piece of crap. They'd gutted the hardware. It had half the RAM of the previous version. And, I understand they'd replaced Linux with VxWorks. Couldn't even freaking ping an internal IP address reliably, it was so awful. Saw massive delays of 10 seconds for a ping to travel between two computers on my internal network, if it arrived at all. Two days later, I took it back for a refund.
