UPDATE
A cadre of 11 vulnerabilities, six of them critical remote code-execution (RCE) bugs, have been uncovered that affect millions of critical infrastructure systems, such as SCADA gear at utilities, elevator and industrial controllers, patient monitors and MRI machines, programmable logic controllers (PLCs), robotic arms and more – as well as firewalls, routers, satellite modems, VoIP phones and printers.
Researchers at Armis, who previously discovered the BlueBorne vulnerabilities, said that Wind River VxWorks versions since version 6.5 that include the IPnet stack are affected by the group of bugs, which the firm has collectively called “URGENT/11.”
VxWorks is a real-time operating system (RTOS) that third-party hardware manufacturers have embedded in more than two billion devices across industrial, medical and enterprise environments.
Also, the IPnet networking stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of real-time operating system vendors – a fact that widens the attack surface, researchers said.
If exploited, URGENT/11 could allow a complete takeover of a device (or whole groups of devices), causing disruption on a scale similar to what resulted from the EternalBlue vulnerability, Armis noted.
“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses. This is why URGENT/11 is so important. The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern.”
Vulnerability Details
Any connected device leveraging VxWorks that includes the IPnet stack is affected by at least one of the 11 discovered vulnerabilities, according to Armis (CVEs from Wind River available here). Most concerningly, URGENT/11 includes six RCE vulnerabilities that could give an attacker full control over a targeted device, via unauthenticated network packets.
“URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected,” said Yevgeny Dibrov, CEO and co-founder of Armis. “The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk.”
Among the finds are two bugs in particular that are “really interesting,” Seri told Threatpost in an interview.
One of them, CVE-2019-12256, exists in the IP protocol headers in the devices’ communications, at Layer 2, which opens up the possibility for wide-scale attacks. It’s a stack overflow in the parsing of IPv4 packets’ IP options that carries a critical 9.8 severity level on the CVSS v3 scale.
“This affects any impacted device with IP support,” Seri explained. “Because it’s in the IP header, you don’t have to send a packet directly to a specific device to trigger the vulnerability. The IP packet that triggers it can be a broadcast packet, heard by every compatible device in the network.”
Thus, if there were, say, a warehouse with PLCs all running the same version, one broadcast packet could trigger exploits on all of them at once.
“I don’t know if I’ve ever heard of something like this before,” Seri said. “It’s very rare and unique.”
The second vulnerability type is found in four of the bigs (CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263, with critical severity levels that top out at 9.8) exists in TCP Layer 3 parsing, which can allow an attacker to bypass traditional perimeter defenses.
“Packets go through network address transversal (NAT) and firewalls to connect an endpoint to a cloud service or the internet, using TCP ports,” Seri explained. “So, a printer might connect outbound to a cloud printing service. Thanks to this vulnerability, an attacker on internet side of the firewall and NAT can intercept the connection, change the TCP headers to contain exploit code, and send the packets back to the printer to trigger RCE. All without needing to breach the network at all; the devices meanwhile are thought to be secured behind the firewall and NAT.”
The two can also be chained together – an adversary can penetrate the network with the Layer 3 vulnerability and then send a broadcast packet using the Layer 2 bug to compromise a raft of machines all at once.
The sixth critical bug is CVE-2019-12257, which carries am 8.8 severity score. It would allow a specially crafted DHCP packet to cause overflow of heap-allocated memory on a VxWorks system using DHCP. The attacker must have compromised the LAN that the target device is attached to, as DHCP packets are not forwarded by IP routers.
Trivial to Exploit
One of the reasons URGENT/11 is so concerning is that the bugs are widespread and require little technical expertise to exploit – and, they can have a large impact.
“These are powerful vulnerabilities,” Seri told Threatpost. “Any device that uses VxWorx is potentially affected; it doesn’t matter what the configuration is on the device, or the applications that are used.”
To mount a campaign, an attacker would simply need to choose a category of devices, such as MRI machines, and then create a targeted worm using well-known exploit techniques.
“The devices that use VxWorks don’t traditionally have a lot of security on them, not like PCs and phones,” Seri said. “And these bugs are trivial to exploit. Some of the flaws are simple stack overflow vulnerabilities of the kind often exploited in the 90s to create all kinds of worms.”
Patching
Wind River has been working to notify its embedded systems hardware-maker customers, and issued patches last month. However, as is familiar from the Android ecosystem, there is likely to be a long-tail effect when it comes to mitigating the danger. After making the patches available to its OEM partners, those partners must implement the patches and then work with their own end-user customer bases to get them rolled out.
“There are at least 2,000 vendors that depend on this code,” Seri said. “Patching embedded devices like this is a lengthy process in an ecosystem that doesn’t do regular security like mobile and PCs.”
However, until patches are available to all devices, the vulnerabilities themselves are identifiable by traffic analysis; Armis is providing a signature for use by firewalls and NAT to log any infection attempts, Seri said.
For its part, Wind River issued a statement on the findings.
“Through mutually embraced responsible disclosure, Wind River’s dedicated security incident response team worked closely with Armis to ensure customers were notified and provided patches and mitigation options,” said Arlen Baker, Wind River chief security architect, in a web statement. “This shared, collaborative process was designed and executed to help device makers mitigate potential risks to their users. We thank the security researchers for their role in helping us discover these vulnerabilities in the IPnet networking stack.”
The good news is that URGENT/11 does not impact versions of the product designed for certification, such as VxWorks 653 and VxWorks Cert Edition – meaning that nuclear power plants and the like are probably not at risk, the researchers told Threatpost. However, Seri said not to rest too easy in that assessment.
“We don’t know why it doesn’t impact Certified, and gaining access to these kinds of systems is very hard, it’s a very protected, closed system,” he explained. “So URGENT/11 might be the tip of the iceberg in terms of flaws found, and we hope this paves the way for other researchers to take a look at these platforms.”
Very few bug-hunters have trained their sights on VxWorks, Armis pointed out, because it’s pervasive and trusted “due to its rigorous and high-achieving safety certifications and its high degree of reliability and real-time accuracy.” In fatc, in its 32-year history, only 13 CVEs have been listed by MITRE as affecting VxWorks.
“Compare that to Android, where a huge amount of research time has been invested,” Seri said. “And thousands of CVEs have been found. VxWorks has 13 vulnerabilties in 32 years? It’s embedded in the same number of devices as Android and used in much older, critical infrastructure. There’s likely more there, and it’s worth security researchers’ time to look at this platform more often.”
This post was updated at 1 p.m. ET with additional CVE information and a statement from Wind River.
Armis plans to discuss its findings further next week at Black Hat 2019, taking place Aug. 7 and 8 in Las Vegas. Be sure to follow all Black Hat and DEF CON 27 coverage right here at Threatpost starting next week.
