Researchers at Armis Labs have discovered 11 potentially serious security flaws affecting the Wind River VxWorks real-time operating system (RTOS), described by the company as “the most widely used operating system you may never have heard about”.
Collectively named ‘Urgent/11’ by Armis Labs, the flaws affect an estimated 200 million devices going back to an earlier version of VxWorks in 2006, including routers, modems, firewalls, printers, VoIP phones, SCADA systems, IoT, and even MRI machines and elevators.
That diversity and volume of devices creates a huge patching job because many of their current owners might not even realise they’re using VxWorks, especially when a device dates back years.
The specific issue is in the VxWorks’ TCP/IP stack (IPnet), part of a software stack that first appeared in 1987 which apparently has suffered barely any security flaws during that time.
But what is an RTOS? The short answer is that it’s used by a device that must guarantee fast response (hence ‘real time’) and where reliability is more important than brute computing power.
For example, vehicle airbag systems use RTOS to ensure the bag inflates at precisely the right moment – neither too early nor too late.
That, and its 32-year-old heritage, explains why Wind River’s VxWorks is used by two billion devices even if the newly discovered flaws affect only a subset of those.
Writes Armis Labs:
The actual extent of VxWorks devices is astonishing, including Siemens, ABB, Emerson Electric, Rockwell Automation, Mitsubishi Electronic, Samsung, Ricoh, Xerox, NEC, and Arris, among others.
It was even used by NASA’s 2018 InSight Mars Lander mission, although there’s no suggestion this is affected (being 40 million miles away also helps).
Reported to Wind River some time ago, the list of 11 CVEs (see the official alert for details) comprises six critical remote code execution (RCE) flaws, plus five less serious issues that could lead to denial of service, information leaks, or logic errors (although a DoS state in an RTOS could still cause big headaches).
The main worry is that where devices are accessible from the internet, or locally, exploiting the flaws would be relatively easy while being difficult to detect.
According to Armis Labs, attackers could exploit them to take control of affected devices via the TCP/IP stack without user interaction. Firewalls wouldn’t be able to detect or stop such attacks and any using affected software would be at direct risk themselves.
So far, there is no evidence that any flaw has ever been exploited in an attack.
Affected versions and fixes
All versions of VxWorks since 6.5, released in 2006 are affected (the year Wind River acquired the software) although some older versions where the software was used as a standalone TCP/IP stack might also be affected in addition to discontinued versions of Wind River Advanced Networking Technologies.
VxWorks 653 and VxWorks Cert Edition, used in safety-critical systems, are not affected.
Wind River issued patches for the flaws on 19 July, which should be applied urgently. In some cases, it might be possible to mitigate the flaws using firewall rules (after applying any patches to these of course) or through source code tweaks, Armis Labs said.
Because of the diversity of devices, owners are advised to contact their device makers for updates.
This will sound reassuring – researchers have uncovered potentially serious flaws before attackers got to them and the affected vendor has produced the fixes to patch the holes.
The problem, of course, is actually applying those patches to a large number of devices that owners might not understand in detail and which often require specialist knowledge to work with.
Urgent/11 might turn out to be the world’s trickiest IoT challenge.