Pierluigi Paganini July 30, 2019

Security experts at Armis have discovered a dozen zero-day vulnerabilities affecting the VxWorks real-time operating systems (RTOS) for embedded devices.

Researchers at Armis Labs have discovered a dozen zero-day flaws in the VxWorks real-time operating systems (RTOS) for embedded devices.

The collection of vulnerabilities was dubbed URGENT/11, it includes 11 flaws, 6 of which are rated as critical in severity.

The critical flaws could allow remote attackers to execute arbitrary code on vulnerable devices, the other 5 issues could trigger a denial-of-service condition, could lead to information leaks or logical flaws.

VxWorks is one of the most popular OSs for embedded devices, it currently powers over 2 billion devices in different industries, including aerospace, defense, automotive, healthcare, and consumer electronics. It is quite easy to find Wind River VxWorks in IoT devices, including webcam, network appliances, VOIP phones, and printers.

The vulnerabilities could be exploited by a remote attacker to bypass traditional security solutions and take full control over vulnerable devices without requiring any user interaction. The experts warn that the exploitation could potentially “cause disruption on a scale similar to what resulted from the vulnerability.”

The vulnerabilities can be exploited by an unauthenticated, remote attacker by sending a specially crafted TCP packet to a vulnerable device without requiring any user interaction.

The URGENT/11 flaws reside in the IPnet TCP/IP networking stack of the RTOS implemented in VxWorks version 6.5 and later.

“URGENT/11 poses a significant risk to all of the impacted VxWorks connected devices currently in use. There are three attack scenarios, depending on the location of the device on the network and the attacker’s position. URGENT/11 can be used by an attacker to take control over a device situated either on the perimeter of the network or within it.  Even a device that is reaching outbound to the internet could be attacked and taken over. Alternately, an attacker who has already managed to infiltrate a network can use URGENT/11 to target specific devices within it, or even broadcast an attack capable of taking over all impacted VxWorks devices in the network simultaneously.” reads the report published by Armis Labs. “It is important to note that in all scenarios, an attacker can gain complete control over the targeted device remotely with no user interaction required, and the difference is only in how the attacker reaches it.”

The critical Remote Code Execution vulnerabilities are:

• A Stack overflow issue in the parsing of IPv4 options (CVE-2019-12256)
• Four memory corruption vulnerabilities caused by the improper handling of TCP’s Urgent Pointer field (CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263)
• Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)

The remaining issues are:

• TCP connection DoS via malformed TCP options (CVE-2019-12258)
• Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)
• Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)
• DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
• IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)

“As each vulnerability affects a different part of the network stack, it impacts a different set of VxWorks versions. As a group, URGENT/11 affects the VxWorks’ versions described above with at least one RCE vulnerability affecting each version.” continues the report. “The wide range of affected versions spanning over the last 13 years is a rare occurrence in the cyber arena and is the result of VxWorks’ relative obscurity in the research community. This timespan might be even longer, as according to Wind River, three of the vulnerabilities were already existent in IPnet when it acquired the stack from Interpeak in 2006.”

Researchers explained that the VxWorks OS implements some optional mitigations that could make it hard the exploitation of the above vulnerabilities.

The experts also described three attack scenarios that differ from the position of the attacker and the targeted vulnerable device.

Scenario 1: Attacking the Network’s Defenses

A remote attacker can exploit the flaws to bypass networking and security devices powered with the OS.

“As an example of this scenario, consider how such an attack can take over the SonicWall firewall, which runs on the impacted VxWorks OS.” continues the report.

“According to Shodan, there are over 808K SonicWall firewalls connected to the Internet, representing a similar number of networks that these devices defend.”

Scenario 2 – Attacking from Outside the Network Bypassing Security

This scenario sees attackers targeting IoT devices that are not directly connected to the Internet that anyway are able to communicate connected to the cloud from within a network protected behind a firewall or NAT solution.

An attacker can intercept the TCP connection in different ways, for example using DNS changer malware, targeting DNS servers and carrying out Man-in-The-Middle attacks.

Scenario 3: Attacking from within the Network

In this scenario, an attacker inside a network can compromise connected IoT devices powered with VxWorks.

Armis reported the flaws to Wind River Systems, which are already released security patches and informed the impacted security vendors.

Pierluigi Paganini

(SecurityAffairs – VxWorks, URGENT/11)

[adrotate banner=”5″]

[adrotate banner=”13″]