Security researchers have revealed today details on 11 commonly referred to as “Urgent11” vulnerabilities that affect a wide range of devices, from routers to medical systems and printers to industrial machinery.
The vulnerabilities affect VxWorks, a Wind River-created real-time operating system.
Real time operating systems (RTOSes) are simple software components with very few features deployed on chipsets with access to limited resources, such as chipsets used in modern IoT devices-where chipsets have only to manage input / output operations, with low processing data and no visual interface required.
According to Wind River’s website, VxWorks is the most popular product amongst all RTOS versions, deployed on over 2 billion devices. However, only 13 safety defects with a MITRE-assigned CVE were discovered in the VxWorks RTOS over 32 years.
The popularity of VxWorks and the lack of security attention are the two reasons why IoT cybersecurity specialists Armis decided to analyze the OS in the event of security failure.
This work has helped to detect the urgent vulnerabilities of VxWorks, published today by Armis researchers, and will go more deeply into the presentation at the Black Hat security conference in Las Vegas on 8 August next week.
Which are the URGENT11?
Security flaws in TCP / IP (IPnet) are a component of VxWorks RTOS, which manages the device’s ability to connect to the internet or other devices in a local network.
In this component, Armis researchers have found 11 vulnerabilities that an attacker can exploit. Some reveal just simple information about a device, others can crash affected systems while others are harder and allow an attacker to control vulnerable systems fully.
According to Armis, six critical code execution vulnerabilities are:
- Stack overflow for parsing IP packets (CVE-2019-12256)
- Stack overflow. TCP Urgent Pointer (CVE-2019-12255)
- leads to integer subflow=0. TCP Urgent Confusion in the State of the TCP AO option malformed (CVE-2019-12260)
- TCP Urgent Pointer Confusion during remote host connection (CVE-2019-12261)
- TCP Urgent State Pointer confusion caused by race (CVE-2019-12263)
- Heap overflow in DHCP Offer / ACK parsing in the ipdhcpc (CVE-2019-12257)
The five minor vulnerabilities which could lead to service denial, logical mistakes or leaks of information are:
- DoS TCP connection via malformed TCP (CVE-2019-12258) options
- Management of reverse ARP responses not requested (Logical flaw) (CVE-2019-12262)
- Logical defect with ipdhcpc DHCP client assignment of IPv4 (CVE-2019-12264)
- DoS through IGMP parsing NULL dereference (CVE-2019-12259)
- IGMP Information Leak via IGMPv3’s Specific Membership Report (CVE-2019-12265)
These vulnerabilities have been affecting all VxWorks RTOS versions since v6.5. This includes versions of VxWorks released by Armis in the past 13.
See this link for a white paper on the security vulnerabilities of Urgent11, which provides technical explanation for each vulnerability and the various scenarios for each. Armis is also planning to publish a video explainer today, which we will incorporate here if available.
PATCHES RELEASED LAST MONTH
The good news is that Armis and Wind River have worked together to address the security issues. Last month, Wind River released patches for the Urgent11 flaws.
“Wind River software is not unique to those vulnerabilities,” a spokesman for Wind River “Wind River acquired the IPnet stack by purchasing Interpeak in 2006. The stack was broadly licensed and deployed in advance by many other RTOS vendors.”Wind River said that most of the Vxworks affected versions come from the now end-of-life (EOL) v6.5 branch.
“There is no vulnerability affecting any of the security critical products of Wind River designed for certification such as VxWorks 653 and VxWorks Cert Edition, nor does the latest release of VxWorks,” the OS maker said.
Wind River said it did not find any evidence of the wild exploitation of vulnerabilities before the release of patches.
In addition, it can easily mitigate the vulnerabilities and the attack surface they open. First, the installation of security patches in VxWorks closes any hacker holes that might exploit.
Second, companies can deploy specific signatures / rules to detect exploitation attempts at the most dangerous Urgent11 vulnerabilities if devices cannot be patched immediately, said Ben Seri, vice president, Armis Research at ZDNet.
But these firewall rules work only if the devices don’t use VxWorks themselves, or have been patched against Urgent11 flaws.
As spokespeople for both Armis and Wind River told ZDNet last week, the biggest problem with Urgent11 is its impact on networking facilities like routers, modems and firewall systems.
Medical and industrial equipment susceptible to Urgent11 could be safe, mainly because most of these systems are not exposed directly on the Internet. Networking equipment is, however. This is why patching any vulnerable networking equipment11 must be a top priority because they are able to allow hackers to access the internal networks of companies.
THE LONG TAIL OF PATCHING
There is, however, another major problem with Urgent11, which is the human and business factor which often accompanies equipment in this field.
Many cannot be patched immediately because of strict patching and maintenance schedules. Companies are known for doing everything they can to prevent losing money by shutting down production lines to install patches. An update and production botched could be kept for days rather than hours.
Furthermore, some device owners may not always be able to install security updates for a low-level RTOS.
“Patching these devices […] if they are on a manufacturing line, this is not updating your iPhone,” Michael Parker, Chief Marketing Officer at Armis
“There are schedules, updates are there, everything you need to do, that’s just one of the challenges when we find an exploit like that when securing these new devices,” he said. “Patching takes time, and we’re seeing the new long tail of patching. It is longer than we’ve seen with Windows devices.” Security faults on IoT devices tend to be much longer than OS defects, as we’ve seen in all of botnets ‘ vulnerabilities over the past couple of years. Despite the best intentions of Wind River to release patches promptly, the Urgent11 flaws might haunt some companies for years.