Widely used VxWorks OS impacted by serious ‘URGENT11’ zero-day vulnerabilities

• VxWorks operating system, that is used by two billion IoT devices, is affected by a total of eleven vulnerabilities.
• The vulnerabilities reside in IPnet, VxWorks’ TCP/IP stack.

A team of security researchers at Armis has discovered a total of eleven zero-day vulnerabilities in the VxWorks operating system that is used by over two billion IoT devices. These IoT devices are spread across different industrial, medical and enterprise environments.

What’s the issue?

According to the researchers, the vulnerabilities are collectively dubbed as ‘URGENT11’ and reside in IPnet, VxWorks’ TCP/IP stack. The vulnerabilities range from memory corruption vulnerabilities to RCE flaw and have been assigned from CVE-2019-12255 to CVE-2019-12262.

Six out of eleven flaws are critical and can enable an attacker to remotely execute malicious code on to the systems. Five of these flaws can lead to denial of service condition, causing leak or information or errors.

While three of the eleven flaws were already existing in the IPnet code, the rest of the vulnerabilities have been introduced lately.

“The IPnet networking stack is a component of some versions of VxWorks, including end-of-life (EOL) versions back to 6.5. Specifically, connected devices leveraging older standard VxWorks releases that include the IPnet stack are impacted by one or more of the discovered vulnerabilities,” said Arlen Baker, Wind River Chief Security Architect in a blog post.

Exploitation potential

The vulnerabilities can be exploited by attackers to take control of a device situated either on the network perimeter or within it.

“URGENT/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions. These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks,” said Armis researchers.

The researchers noted that the ‘URGENT11’ vulnerabilities affect the VxWorks versions prior to 6.5. However, the versions of the product designed for safety certification - VxWorks 653 and VxWorks Cert Edition - are not affected by the issue.

“It is important to note that in all scenarios, an attacker can gain complete control over the targeted device remotely with no user interaction required, and the difference is only in how the attacker reaches it.” explained the researchers.

Potentially affected devices

Given the wide usage of VxWorks across the industries, it is estimated that the SCADA systems, elevators, industrial controllers, patient monitors, and MRI machines are impacted by the vulnerabilities. The ‘URGENT11’ vulnerabilities also affect firewalls, routers, satellite modems, VOIP phones, and printers.

What actions have been taken?

Organizations and device manufacturers using VxWorks OS should patch impacted devices immediately. The patches were disseminated to manufacturers by Wind River in June. The company has provided a new version - VxWorks 7 SR0620 - to address the flaws.

SonicWall and Xerox have already pushed out security updates for their firewalls and printers.