Almost a dozen serious vulnerabilities have been sitting for the past 13 years in the VxWorks real-time operating system (RTOS) used to power mission-critical embedded devices.

Built and maintained by Wind River, VxWorks is designed to serve computing needs in the critical infrastructure where low latency in data processing is an absolute requirement.

According to Wind River, more than two billion embedded systems rely on its RTOS operating system and is trusted by top-tier organizations from various industry segments: defense, security, aerospace, robotics, engineering, industrial automation, and even solar system exploration (NASA Jet Propulsion Laboratory).

VxWorks used in critical systems

Systems such as SCADA, elevator and industrial controllers, patient monitors, and MRI machines, firewalls, routers,​ satellite modems, VOIP phones, and printers likely impacted.

An adversary exploiting the glitches could take over the affected devices without any interaction from the user. More worryingly, network-level security solutions like firewalls and NAT systems cannot stop the attack. This happens because the packets sent during the attack look like non-threatening network communication.

Below is a video demonstrating how the researchers were able to take over SonicWall firewall. According to a search Armis did on Shodan, there are over 800,000 reachable over the internet.

SonicWall acknowledged that versions of its SonicOS software powering some of its  physical security appliances has vulnerabilities in code intended for remote management. The company told BleepingComputer that it found no evidence that the flaws were exploited in the wild. Patches are available since July 19 and the company advised customers and end users to apply the update.

Due to this, the researchers say that these faults could have similar consequences as the EternalBlue and WannaCry attacks, which allowed a malware to spread throughout a company’s global network.

The Armis Labs research team discovered 11 vulnerabilities affecting a different part of IPnet, the TCP/IP stack in VxWorks. Researchers refer to the collection as ‘URGENT/11’ with some of the bugs affect different versions of the OS, the earliest one being 6.5, released in 2006.

Six of the URGENT/11 bugs can be exploited to achieve remote code execution (RCE) – at least one of them affects each version of the OS starting 6.5, while others can lead to denial of service, information leaks or are classified as logical flaws.

It is important to note that the vulnerabilities discovered by Armis do not affect the versions of the product designed for certification – VxWorks 653 and VxWorks Cert Edition​, used by specific industries, including transportation.

VxWorks is closed source, so assessing it for vulnerabilities is not easy. In a white paper published today, Armis explains that its researchers downloaded outdated source code and reverse engineered real end-user products to get updated binaries.

When the binaries are ELF files with debug symbols, it is easy to analyze the older versions of the source code, Armis says.

Attack scenarios

According to the researchers, there are three avenues of attack, depending on the location of the vulnerable device on the network and the adversary’s position.

“URGENT/11 can be used by an attacker to take control over a device situated either on the perimeter of the network or within it. Even a device that is reaching outbound to the internet could be attacked and taken over.” – Armis

If the attacker is inside the network, the collection of bugs can help them target a specific device, “or even broadcast an attack capable of taking over all impacted VxWorks devices in the network simultaneously,” the company notes in a blog post.

Attackers can target security devices at the fringe of the network, which are exposed to the internet, and take control of them. One example of a target is a SonicWall firewall running a vulnerable VxWorks version.

URGENT/11 could be used in another outside-the-network attack scenario to bypass security the security solutions protecting the local devices. Armis researchers say that the low-level nature of the flaws allow the attack to remain undetected by security solutions.

The third attack scenario imagined by Armis is where the threat actor is already inside the network. In this case, they can use URGENT/11 to breach all affected device at the same time with no user interaction, by sending malicious TCP packets throughout the network.

A video from Armis demonstrates the scope and impact of URGENT/11:

Mitigation options and patching

Armis responsibly informed Wind River and the developer worked to remove the glitches from its product and deliver a more secure version of its VxWorks RTOS.

Customers have been notified of the security flaws and were instructed to take mitigation action or install the latest patches.

Wind River explains that the IPnet “networking stack is a component of some versions of VxWorks, including end-of-life (EOL) versions back to 6.5.” URGENT/11 vulnerabilities affect embedded devices running an older version of VxWorks.

“The latest release of VxWorks is not affected by the vulnerabilities, nor are any of Wind River’s safety-critical products that are designed for certification, such as VxWorks 653 and VxWorks Cert Edition,” says the developer.

If patching or installing the latest VxWorks is not possible for the foreseeable future, customers can rely on rules for an Intrusion Detection System (IDS) to identify exploitation attempts. 

List of URGENT/11 vulnerabilities

Vulnerabilities leading to RCE:

Stack overflow in the parsing of IPv4 options, leading to RCE:

• CVE-2019-12256

Memory corruption from erroneous handling of the TCP Urgent Pointer field, leading to RCE:

• CVE-2019-12255
• CVE-2019-12260
• CVE-2019-12261
• CVE-2019-12263

Heap overflow in DHCP Offer/ACK parsing in ipdhcpc:

• CVE-2019-12257

Vulnerabilities leading to denial of service, information leak, or logical flaws:

TCP connection DoS via malformed TCP options:

• CVE-2019-12258

DoS via NULL dereference in IGMP parsing:

• CVE-2019-12259

Handling of unsolicited Reverse ARP replies (Logical Flaw)

• CVE-2019-12262

Logical flaw in IPv4 assignment by the ​ ipdhcpc DHCP client:

• CVE-2019-12264

IGMP Information leak via IGMPv3 specific membership report:

• CVE-2019-12265

UPDATE [07/29/19, 15:26 EST]: Article updated to include information from SonicWall about the availability of updates for certain of its products affected by vulnerabilities in the URGENT/11.