Security researchers have disclosed details today about 11 vulnerabilities known collectively as “Urgent11” that impact a wide range of devices, from routers to medical systems, and from printers to industrial equipment.
Real-time operating systems (RTOSes) are simple pieces of software with very few features that are deployed on chipsets with access to a limited amount of resources, such as the chipsets used in modern Internet of Things (IoT) devices — where the chipsets only need to manage input/output operations, with little data processing and no need for a visual interface.
Among all RTOS versions, VxWorks is today’s most popular product, deployed on more than two billion devices, according to Wind River’s website. However, in its 32-year history, only 13 security flaws with a MITRE-assigned CVE have been found in the VxWorks RTOS.
VxWorks’ popularity and the lack of any attention from the security community were the two reasons why experts from IoT cybersecurity firm Armis decided to analyze the OS for security flaws, the company told ZDNet in a phone call last week.
It’s this work that has resulted in the discovery of the Urgent11 vulnerabilities impacting VxWorks, which Armis researchers have made public today, and will detail in greater depth in a presentation at the Black Hat security conference next week, on August 8, in Las Vegas.
What are the Urgent11 vulnerabilities?
The Urgent11 security flaws reside in the TCP/IP (IPnet) networking stack, which is a component of the VxWorks RTOS that manages the device’s ability to connect to the internet or to other devices on a local network.
Armis researchers have discovered 11 vulnerabilities in this component that an attacker can exploit. Some only reveal simple information about a device, others can crash affected systems, while others are more dangerous and allow an attacker to take full control over vulnerable systems.
According to Armis, the six critical vulnerabilities, that can lead to remote code execution are:
1. Stack overflow in the parsing of IPv4 packets IP options (CVE-2019-12256)
2. TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255)
3. TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260)
4. TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261)
5. TCP Urgent Pointer state confusion due to a race condition (CVE-2019-12263)
6. Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)
The five lesser dangerous vulnerabilities that can lead to denial-of-service, logical errors, or information leaks are:
1. TCP connection DoS via malformed TCP options (CVE-2019-12258)
2. Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)
3. Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)
4. DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
5. IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)
These vulnerabilities impact all versions of the VxWorks RTOS since v6.5, moving forward. This includes VxWorks versions released in the past 13, according to Armis.
Some vulnerabilities can be exploited directly, over the internet, while others require attackers a foothold on local networks. Exploitation scenarios vary wildly.
In addition, the same vulnerability is more important when present in one device, but not in another. For example, a company firewall or router running VxWorks, if compromised, can then grant access to all devices within its private network. But the same vulnerability found in an industrial PLC is not as dangerous, as PLCs aren’t usually left connected to the internet, and attackers won’t have many chances to exploit the security flaw.
Please see the Urgent11 white paper for the technical details of each vulnerability and the different scenarios in which each one can be exploited. The video below gives a short presentation on how an attacker could weaponize the vulnerabilities to attack companies, and potentially sabotage production or use the devices as a launching point for other attacks.
Patches released last month
The good news is that Armis and Wind River worked together to resolve the security flaws. Wind River has released patches for the Urgent11 flaws last month.
“These vulnerabilities are not unique to Wind River software,” a Wind River spokesperson told ZDNet. “The IPnet stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of other RTOS vendors.”
Wind River says that most of the impacted VxWorks versions are now end-of-life (EOL). For versions that are still maintained, the company released patches on July 19, including the current 7.x branch.
“The latest release of VxWorks is not affected by the vulnerabilities, nor are any of Wind River’s safety-critical products that are designed for certification, such as VxWorks 653 and VxWorks Cert Edition,” the OS maker said.
Wind River also said it did not find any evidence that the vulnerabilities had been exploited in the wild before patches were released.
Furthermore, the vulnerabilities and the attack surface they open can be easily mitigated. First, installing the VxWorks security patches closes any holes hackers could exploit.
Second, if devices can’t be patched right away, companies can deploy special firewall signatures/rules that can detect exploitation attempts for the most dangerous Urgent11 vulnerabilities, Ben Seri, VP of Research at Armis told ZDNet.
But these firewall rules will only work if the devices themselves either don’t use VxWorks, or have been patched against Urgent11 flaws.
As both Armis and Wind River spokespersons have told ZDNet last week, the big issue with Urgent11 is its impact on networking equipment, such as routers, modems, and firewalls.
Medical and industrial equipment vulnerable to Urgent11 might be safe, for the most part, since most of these systems aren’t directly exposed on the internet. However, networking equipment is. That’s why patching any networking equipment vulnerable to Urgent11 must be a top priority, since they can allow hackers access to companies’ internal networks.
The long tail of patching
However, there is another big problem with Urgent11, and that is the human and business factor that often accompanies devices deployed in the field.
Many of them can’t be patched right away, due to strict patching and maintenance schedules. Companies are notorious for doing anything in their power to avoid losing money by shutting down production lines to install patches. One botched update and production could remain down for days instead of hours.
Further, some device owners might not always have the technical skills to do install security updates for a low-level RTOS.
“Patching these devices […] if they are on a manufacturing line, this is not updating your iPhone,” Michael Parker, Chief Marketing Officer at Armis, told ZDNet.
“There are schedules, there are updates, there’s all the stuff that you have to do. That’s just one of the challenges of securing these new devices when we find an exploit like this,” he said. “Patching takes time, and we’re seeing the new long tail of patching. It’s longer than we saw with Windows devices.”
As we’ve seen with all the vulnerabilities exploited by botnets in the past few years, security flaws in IoT devices tend to linger far longer than OS flaws. Even with Wind River’s best intentions of releasing patches in a timely manner, the Urgent11 flaws might haunt some companies for years.