Networking vulnerabilities leave 200m devices open to worm attacks

Security researchers are warning that the popular real-time operating system VxWorks, developed by American company Wind River, contains serious bugs that can be exploited remotely by attackers, for full device takeover.

California-based security vendor Armis said it had found 11 so-called zero-day vulnerabilties in VxWorks, with six of them allowing for the remote execution of arbitrary code with no user interaction required.

Another five can be used for denial of service attacks, and information leakage and Armis warned that it's possible to exploit the vulnerabilties to create internet worms like the recent WannaCry malware that self-replicate and spread to other networked devices.

The vulnerabilties affecting VxWorks lie in the transmission control protocol/internet protocol stack called IPnet and are found in all versions since 6.5. They have been around for 13 years, and VxWorks has only this month issued fixes for them.

Armis named the vulnerabilities Urgent/11 and said they could be exploited by sending specially crafted data packets over networks.

IPnet parses options in IPv4 headers wrongly, making it possible to cause a stack overflow, Armis found.

It is also possible to abuse the TCP Urgent Pointer field to trigger memory corruption, and send specially crafted dynamic host control protocol packets to cause heap overflows in IPnet for remote code execution.

The security vendor estimates that around 200 million VxWorks devices around the world are vulnerable to Urgent/11.

Many of these are used as industrial control systems, lifts, healthcare devices such as patient monitors and magnetic resonance imaging machines but also network and IT equipment such as firewalls, routers, modems and printers.

Companies that use versions of VxWorks include giant corporations such as Siemens, Asea Brown Boveri, Rockwell Automation, Mitsubishi, Samsung, Ricoh, Xerox, NEC and others.

Aggravating the potential threat, Armis said the devices examined and exploited with Urgent/11 contained no modern hardware and software mitigations such as address space layout randomisation, stack canaries and data execution protection.

Takeover of SonicWall firewall using Urgent/11.

Armis has notified Wind River, the developer of VxWorks, which has acknowledged the flaws.

Wind River chief security architect Arlen Baker said there is no indication that the vulnerabilites have been exploited in the wild.

Baker said the latest version of VxWorks is not vulnerable, nor are safety-critical variants of the RTOS such as VxWorks 653 or Cert Edition affected. 

Furthermore, not all vulnerabiltiies apply to all impacted versions, Baker said.

He added that the 200 million devices number cited by Armis has not been confirmed and that Wind River believes it is too high. Baker did not provide an estimate of how many devices the company believes are vulnerarble to Urgent/11, and would only say that "those impacted make up a small subset of our customer base".

These are primarily non-critical enterprise devices at network perimeters such as modems, routers, and printers, as well as some industrial and medical devices.