Security researchers found 11 vulnerabilities which are collectively known as “Urgent11” that affects the real-time operating system, VxWorks created by Wind River. These vulnerabilities impact a wide range of devices including routers, medical systems, printers, industrial equipments etc.
Real-time operating systems (RTOSes) are pieces of software with minimal features and are deployed on chipsets with access to a limited amount of resources. It includes the chipsets used in modern day Internet of Things devices where the chipsets had to manage input/output operations, involving little data processing and does not require a visual interface.
VxWorks is the most popular product among all RTOS versions and is used on more than two billion devices. The security flaws were found by the researchers at Armis and more details regarding the flaws will be presented at the Black Hat security conference next week held on August 8, in Las Vegas.
The Urgent11 security flaws reside in the TCP/IP (IPnet) networking stack, which is a component of the VxWorks RTOS that manages the device’s ability to connect to the internet or to other devices on a local network.
The 11 vulnerabilities discovered in this component could be exploited by the attackers in the wild. Some flaws only reveal simple information about a device while some can crash the affected systems or permit an attacker to take total control over vulnerable systems.
According to Armis, the six critical vulnerabilities, that can lead to remote code execution are:
- 1. Stack overflow in the parsing of IPv4 packets IP options (CVE-2019-12256)
- 2. TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255)
- 3. TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260)
- 4. TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261)
- 5. TCP Urgent Pointer state confusion due to race condition (CVE-2019-12263)
- 6. Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)
The lesser dangerous vulnerabilities that can cause denial-of-service, logical errors, or information leaks are:
- 1. TCP connection DoS via malformed TCP options (CVE-2019-12258)
- 2. Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)
- 3. Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)
- 4. DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
- 5. IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)
All these vulnerabilities affect all versions of the VxWorks RTOS from v6.5.
Some vulnerabilities may be exploited directly, over the internet, while some can be done only on local networks. Some vulnerabilities may be important in one device while not in others.
The video below demonstrates how an attacker could use the vulnerabilities to perform an attack.
It is great news that Armis and Wind River has resolved the security flaws by releasing patches for the Urgent11 flaws last month.
According to a Wind River spokesperson, these vulnerabilities are not unique to Wind River software. The IPnet stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of other RTOS vendors.
The latest release of VxWorks is not affected by the vulnerabilities. The Wind River’s safety-critical products that are designed for certification, such as VxWorks 653 and VxWorks Cert Edition are also not affected.
Wind River confirmed that no vulnerabilities were exploited in the wild before patches were released.
The vulnerabilities and the attack surface they open can be easily mitigated. First, installing the VxWorks security patches closes any holes hackers could exploit. Second, if devices can’t be patched, the companies can deploy special firewall signatures that can detect exploitation attempts for the Urgent11 vulnerabilities. But these firewall rules work only if the devices themselves either don’t use VxWorks, or have been patched against Urgent11 flaws.
The main issue with Urgent11 is its impact on networking equipment, such as routers, modems, and firewalls.
It is important to patch networking equipments vulnerable to Urgent11 as it can permit the hackers to access the companies’ internal networks.