Lily Hay Newman
When major vulnerabilities show up in ubiquitous operating systems like Microsoft Windows, they can be weaponized and exploited, the fallout potentially impacting millions of devices. Today, researchers from the enterprise security firm Armis are detailing just such a group of vulnerabilities in a popular operating system that runs on more than 2 billion devices worldwide. But unlike Windows, iOS, or Android, this OS is one you’ve likely never heard of. It’s called VxWorks.
VxWorks is designed as a secure, “real-time” operating system for continuously functioning devices, like medical equipment, elevator controllers, or satellite modems. That makes it a popular choice for Internet of Things and industrial control products. But Armis researchers found a cluster of 11 vulnerabilities in the platform’s networking protocols, six of which could conceivably give an attacker remote device access, and allow a worm to spread the malware to other VxWorks devices around the world. Roughly 200 million devices appear to be vulnerable; the bugs have been present in most versions of VxWorks going back to version 6.5, released in 2006.
Think of how the WannaCry ransomware used the Eternal Blue Windows vulnerability to spread across networks and around the world. It’s like that, but with firewalls, industrial equipment, and medical devices instead of Windows machines. The result could be anything from device malfunctions to full system takedowns.
VxWorks developer Wind River is in the process of distributing patches for the bugs. But the Armis researchers, who first disclosed their findings to Wind River in March, say that the patching process will be long and difficult, as is often the case with IoT and critical infrastructure updates. The researchers will present their findings at the Black Hat security conference in Las Vegas next week.
“Finding a vulnerability in the network layer means it would affect any device that is using this operating system and that has networking capabilities,” says Ben Seri, vice president of research at Armis. “It’s like the holy grail of vulnerability research finding something in that layer.”
The vulnerabilities, collectively dubbed Urgent/11, are surprising in two ways. First, their presence in the operating system’s network protocols—the “TCP/IP stack,” which help devices connect to networks like the internet—is unusual. Researchers and hackers discovered a number of bugs and worms in these protocol implementations in the 1990s, but since then the security of this foundational component has been largely standardized industry-wide. Second, it is relatively rare in general to find security vulnerabilities, particularly critical ones, in VxWorks. And while the vulnerabilities have a very broad reach, both Armis and Wind River emphasized to WIRED that they are not present in the latest version of VxWorks or Wind River’s “certification” versions, like VxWorks 653 and VxWorks Cert Edition. This means that critical infrastructure settings like nuclear power plants are not vulnerable.
“Not all vulnerabilities apply to all impacted versions. To date, there is no indication the Urgent/11 vulnerabilities have been exploited in the wild,” Wind River said in a statement. “Those impacted make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organizational networks that are internet-facing such as modems, routers, and printers, as well as some industrial and medical devices. Organizations deploying devices with VxWorks should patch impacted devices immediately.”
“You can’t just shut down a product line and do these updates.”
Michael Parker, Armis
Wind River has been working with customers to distribute the patch for almost two months now. But the nature of VxWorks devices—they typically run continuously, and often depend on customized software that requires a tailored patching process—makes it challenging to implement a fix.
“VxWorks is used so pervasively that there’s going to be a very long tail of patching,” says Michael Parker, Armis’ chief marketing officer. “It’s things like firewalls or robotic arms, or think about patient monitors and medical equipment. They have to basically create a whole new operating system and get FDA approval. You can’t just shut down a product line and do these updates.”
Other research reviewing exploitable VxWorks bugs has shown how difficult it is to distribute patches and mitigate fallout. “In our 2018 research looking at the prevalence of previously discovered VxWorks vulnerabilities we concluded that these bugs go from being zero-day vulnerabilities to forever-day vulnerabilities,” says Ang Cui, CEO of the embedded device security firm Red Balloon. “It’s because in practice many affected devices are found in critical infrastructure. Printers and phones can get patched, but most industrial devices never will.”
The most threatening thing about vulnerabilities in the network protocol layer is that they can be exploited from afar, without needing a foothold from a victim, say, opening a malicious document or plugging in a tainted USB stick. The most destructive exploitations of the bugs the researchers found would still require special manipulations, like the ability to man-in-the-middle an organization’s web traffic and manipulate packets. But motivated attackers are increasingly in the real-world position to launch such attacks at a massive scale.
“The worst-case scenario for me is what a determined nation-state could do with such a powerful vulnerability,” Armis’ Seri says. “We know that SCADA devices have been targeted, we know that power grids have been targeted. And these VxWorks devices all have industrial use cases. I’m not saying tomorrow morning it will happen, but that’s the worst case concern for me.”
More Great WIRED Stories