The Vulnerability That Not Enough People Are Discussing

2 min read

Thousands have read about the VxWorks vulnerability in recent weeks, but did not understand the implications.  For some reason, it hasn’t caught the attention of the widespread media, but it should. 

Meanwhile, it HAS caught the attention of the FDA, who recently issued a warning about the vulnerability dubbed "URGENT/11." Published October 1, 2019, the FDA Safety Communication warns the vulnerability may "introduce risks during use of certain medical devices" and that "software to exploit these vulnerabilities is already publicly available."

About every 2 years, someone discovers a security vulnerability with a large scope and potential impact. URGENT/11 is definitely one of them. One of the operating systems affected is VxWorks, which is estimated to be embedded in over 2 billion devices globally.

The URGENT/11 Vulnerability Is Widespread

Recently discovered by Armis, URGENT/11 checks all of the critical vulnerability boxes because:

  1. It’s for a Real time Operating System (RTOS) called VxWorks that’s widely used in critical IoT devices.
  2. 6 of the discovered vulnerabilities include remote code execution, essentially allowing an attacker to control the system remotely.
  3. The devices involved include medical devices, power distribution and management devices, and network infrastructure, including a widely-used commercial firewall.
  4. The responsible way in which Armis disclosed the vulnerability means that there are already patches available for many devices.

Here’s the thing though, many organizations don’t know if they have VxWorks deployed. Generally, you have no way of knowing without a very detailed inventory of your network. That Xerox printer you use every day for example could be vulnerable (14 Xerox models are.) The nature of an imbedded RTOS is that the user generally sees a totally different name, so they may have no idea that they have vulnerable systems.

Armis’ Lists VxWorks Vulnerable Devices

From the vulnerable list Armis publishes, almost any medium to large-sized network (and many small ones) will have at least one VxWorks powered device on it.

Here’s what Armis said about their discovery, including the list of impacted devices. 

“The Armis research team, Armis Labs, have discovered 11 zero day vulnerabilities in VxWorks®, the most widely used operating system you may never heard about. VxWorks is used by over 2 billion devices including critical industrial, medical and enterprise devices. Dubbed “URGENT/11,” the vulnerabilities reside in VxWorks’ TCP/IP stack (IPnet), impacting all versions since version 6.5, and are a rare example of vulnerabilities found to affect the operating system over the last 13 years. Armis has worked closely with Wind River®, the maintainer of VxWorks, and the latest VxWorks 7 released on July 19 contains fixes for all the discovered vulnerabilities.

Six of the vulnerabilities are classified as critical and enable Remote Code Execution (RCE). The remaining vulnerabilities are classified as denial of service, information leaks or logical flaws. URGENT/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions. These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks. Such an attack has a severe potential, resembling that of the EternalBlue vulnerability, used to spread the WannaCry malware.”

Critical Insight is proud to have Armis as a strategic partner. They provide customers a broad range of information about every device in their environment - a complete IT asset inventory. Critical Insight’s Critical Insight Managed Detection and Response allows customers to detect and respond quickly to attacks on those devices.

We want to make the digital world a safer place, and we know that’s a goal we share with our friends at Armis.