Researchers at Armis Labs have discovered a dozen zero-day flaws in the VxWorks real-time operating systems (RTOS) for embedded devices.
The collection of vulnerabilities was dubbed URGENT/11, it includes 11 flaws, 6 of which are rated as critical in severity.
The critical flaws could allow remote attackers to execute arbitrary code on vulnerable devices, the other 5 issues could trigger a denial-of-service condition, could lead to information leaks or logical flaws.
VxWorks is one of the most popular OSs for embedded devices, it currently powers over 2 billion devices in different industries, including aerospace, defense, automotive, healthcare, and consumer electronics. It is quite easy to find Wind River VxWorks in IoT devices, including webcam, network appliances, VOIP phones, and printers.
The vulnerabilities could be exploited by a remote attacker to bypass traditional security solutions and take full control over vulnerable devices without requiring any user interaction. The experts warn that the exploitation could potentially “cause disruption on a scale similar to what resulted from the vulnerability.”
The vulnerabilities can be exploited by an
The URGENT/11 flaws reside in the IPnet TCP/IP networking stack of the RTOS implemented in VxWorks version 6.5 and later.
“URGENT/11 poses a significant risk to all of the impacted VxWorks connected devices currently in use. There are three attack scenarios, depending on the location of the device on the network and the attacker’s position. URGENT/11 can be used by an attacker to take control over a device situated either on the perimeter of the network or within it. Even a device that is reaching outbound to the internet could be attacked and taken over.
The critical Remote Code Execution vulnerabilities are:
The remaining issues are:
“As each vulnerability affects a different part of the network stack, it impacts a different set of VxWorks versions. As a group, URGENT/11 affects the VxWorks’ versions described above with at least one RCE vulnerability affecting each version.” continues the report. “The wide range of affected versions spanning over the last 13 years is a rare occurrence in the cyber arena and is the result of VxWorks’ relative obscurity in the research community. This
Researchers explained that the VxWorks OS implements some optional mitigations that could make it hard the exploitation of the above vulnerabilities.
The experts also described three attack scenarios that differ from the position of the attacker and the targeted vulnerable device.
A remote attacker can exploit the flaws to bypass networking and security devices powered with the OS.
“As an example of this scenario, consider how such an attack can take over the SonicWall firewall, which runs on the impacted VxWorks OS.” continues the report.
“According to Shodan, there are over 808K SonicWall firewalls connected to the Internet, representing a similar number of networks that these devices defend.”
This scenario sees attackers targeting IoT devices that are not directly connected to the Internet that anyway are able to communicate connected to the cloud from within a network protected behind a firewall or NAT solution.
An attacker can intercept the TCP connection in different ways, for
In this scenario, an attacker inside a network can compromise connected