VxWorks, a real-time operating system (RTOS) that powers around 2 Billion devices across the globe is recently found vulnerable to 11 zero-day vulnerabilities out of which six vulnerabilities are very critical that can lead to dangerous attacks. These 11 critical flaws are collectively called URGENT/11 because of eleven number of vulnerabilities.
The VxWorks RTOS is used in many industries worldwide, which include defense, industrial, medical, aerospace, automotive, consumer electronics, networking, and other big industries. The VxWorks is being used to run many internet-of-things as well that include webcams, routers, firewalls, VOIP phones, printers, traffic lights, and many more other devices.
The VxWorks usage network is so extensive that it is also being used by mission-critical systems including trains, elevators, MRI machines, in-flight WiFi systems, and a lot of other places.
Actual Vulnerability in the System (URGENT/11)
These critical flaws lie in the IPnet TCP/IP networking stack that was added in the later versions of VxWorks since version 6.5 but besides that, all the versions that were previously released in the recent 13 years are impacted by these vulnerabilities.
The vulnerabilities were discovered by Armis researchers who specialize in IoT security solutions and help organizations to control any device or network.
However, it is likely possible that the older versions are not vulnerable to all of these 11 vulnerabilities but all these older versions have at-least one of the critical flaws present in their systems.
6 out of 11 critical vulnerabilities can be used to execute the remote code execution (RCE) attacks, and the remaining vulnerabilities can lead to DoS (Denial-of-Service), information leaks, and other critical flaws.
URGENT/11 critical vulnerabilities and their designated CVE numbers:
- Stack overflow in the analyzing of IPv4 options as CVE-2019-12256
- Heap overflow in DHCP Offer/ACK analyzing in ipdhcpc as CVE-2019-12257
- Four memory corruption vulnerabilities designated as CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263.
These vulnerabilities can be exploited by sending crafted TCP packet from hackers device to affected user’s device, and it also requires no user interaction to exploit.
Patching the Flaws
The Armis researchers have confirmed that these flaws do not affect the other variants of VxWorks available such as VxWorks Cert addition and VxWorks 653.
The vulnerabilities were reported to the Wind River systems (Developers of VxWorks), and their security team has already released various patches to fix the issue.
Patches are released for Sonic-wall and Xerox, but according to the Armis team, it is not easy to patch the flaws present in IoT systems as it has a critical infrastructure.