Critical flaws discovered in VxWorks OS

By Dylan Bushell-Embling
Tuesday, 30 July, 2019

Researchers from IoT security company Armis have discovered 11 major vulnerabilities in VxWorks, a real-time operating system used by over 2 billion devices including critical industrial, medical and enterprise devices.

The URGENT/11 list of vulnerabilities impacts all versions of the operating system since 6.5, potentially affecting a wide range of devices including firewalls, industrial controllers, patient monitors, MRI machines and printers.

Six of the vulnerabilities enable remote code execution, while the remaining five are classified as denial of service, information leaks or logical flaws.

The vulnerabilities reside in VxWorks' TCP/IP stack, enabling attackers to take over devices with no user interaction required and to bypass firewalls, NAT solutions and other perimeter security defences.

The bugs can be used to propagate malware into and within networks, giving them the potential to be used in attacks similar to the use of the EternalBlue vulnerability to spread WannaCry in 2017.

Attackers would be able to use the exploits to intercept an IoT device's TCP connection to the cloud, regardless of TLS encryption used, and trigger one of the vulnerabilities to take complete control over the device.

Attackers who have already infiltrated a network would be able to target and hijack specific devices over the network, or to breach all vulnerable devices at once by broadcasting malicious packets throughout the network.

Armis has worked with VxWorks maintainer Wind River on a fix, and the latest version of VxWorks 7 contains fixes for all 11 vulnerabilities.

But the company noted that the vulnerabilities pose a significant to risk to all impacted unpatched CxWorks devices in use, especially considering that VxWorks devices lack the ability to install a security agent.

VxWorks is most widely used in the healthcare and industrial sectors, so these are expected to be the most at risk from these vulnerabilities. Attacks using the URGENT/11 could be particularly devastating for these industries given the critical nature of the devices using the operating system, Armis said.

For example, a compromised industrial controller could shut down a factory, while a compromised patient monitor could have a life-threatening effect.

Image credit: ©stock.adobe.com/au/ArtemSam

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.