|Wind River's VxWorks Zero Day allert: Warning As 2 Billion Medical, Industrial And Enterprise IoT Devices At Risk Of Attack|
Trust Model News
Warning As 2 Billion Medical, Industrial And Enterprise IoT Devices At Risk Of Attack
A team of security researchers at California-based Armis has disclosed the discovery 11 zero-day vulnerabilities in one of the world's most widely used IoT operating systems. VxWorks is so common, in fact, that it powers more than 2 billion devices around the world, including medical equipment, firewalls, elevators and industrial machinery. Armis describes VxWorks as "the most widely used operating system you have likely never heard about."
All of which makes those 11 vulnerabilities—which impact VxWorks’ TCP/IP stack, IPnet—a widespread security threat; if exploited, the exposure "could cause disruption on a scale similar to the EternalBlue vulnerability." Six of the 11 vulnerabilities are critical, enabling Remote Code Execution (RCE), and Armis has tagged its warning "URGENT/11," explaining that only 13 CVEs (Common Vulnerabilities and Exposures) have ever been listed by the non-profit cyber organization MITRE as affecting VxWorks, "and none of them affected the core networking stack as severely as URGENT/11 does."
Vulnerabilities which open TCP/IP stacks to RCE attacks in this way are thankfully rare, and Armis describe such exposures as "the holy grail for attackers." Because a threat actor can target the core underlying OS, there is no need to discover and exploit issues with specific applications. All that is required is network connectivity and knowledge of the risk. "When such vulnerabilities are found," Armis explains, "they can even be used to bypass Firewall and NAT solutions, hiding in otherwise innocent-looking TCP traffic."
Armis disclosed the vulnerabilities to Wind River, the company behind VxWorks, and supported its efforts to develop a mitigation plan and to notify those affected. The six critical (Remote Code Execution) vulnerabilities enable security layers to be bypassed and core systems to be attacked without any user response. "These devastating traits," the researchers point out in their July 29 disclosure, "make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks. Such an attack has a severe potential, resembling that of the EternalBlue vulnerability, used to spread the WannaCry malware."
The anticipated growth in the number of IoT devices over the coming years is a major security concern. IHS Markit forecasts 125 billion such devices by 2030, up from 27 billion last year, and Intel predicts the value of IoT technology to be as much as $6 trillion by 2025. And this disclosure will hammer home the seriousness of the risk, and how easily this scale of devices can be exposed. In its disclosure, Armis warns that attack scenarios enabled by the URGENT/11 vulnerabilities include attackers taking control of critical devices, where such devices might be at the security perimeter of a network (firewalls, for example) or deep within it. And once inside an affected device, the attacker has full control and can use that device as a route to all other vulnerable devices on the network simultaneously. And that means the network itself is vulnerable.
VxWorks is currently "the most widely used real-time operating system (RTOS) in the world," designed for devices which require "high accuracy and reliability," which means critical infrastructure, hospitals, industrial machinery and aerospace. "As such," Armis explains, "VxWorks is used in MRI machines, airplanes, trains, firewalls, printers." Manufacturers of devices running VxWorks—including Siemens, ABB, Emerson Electric, Rockwell Automation, Mitsubishi Electronic, Samsung, Ricoh, Xerox, NEC, and Arris—are advised to download and apply updates from Wind River's Security Center right away.
There is a mix of critical and non-critical devices within the warning, but the risk of launching from one device to others within a network puts everything at risk. An externally networked printer, for example, could be used to access devices that have no external connection of their own. The example Armis gives in its disclosure is a printer within a hospital being used to access patient management systems on the internal network.
There is a broad mix of concerns in this disclosure, including the potential impact on network defenses (firewalls) and common industrial and enterprise systems (elevators, medical devices, printers) that are simply not expected to be at risk in this way. There is also the age of the operating system, which means issues are expected to have been found and resolved. And, finally, an overriding set of questions: If we are only finding this out now, what more do we not know? What other critical vulnerabilities exist within other commonplace industrial IoT systems—perhaps in aerospace and defense, in critical infrastructure, in energy and resources?
Armis will present its URGENT/11 at Black Hat 2019 in Las Vegas next month. The company's researchers will also demonstrate three end-to-end attacks on a SonicWall firewall, a Xerox printer and a patient monitor.
VxWorks is a real-time operating system (RTOS) developed as proprietary software by Wind River Systems, a wholly owned subsidiary of TPG Capital, US. First released in 1987, VxWorks is designed for use in embedded systems requiring real-time, deterministic performance and, in many cases, safety and security certification, for industries, such as aerospace and defense, medical devices, industrial equipment, robotics, energy, transportation, network infrastructure, automotive, and consumer electronics
VxWorks supports Intel architecture, POWER architecture, and ARM architectures. The RTOS can be used in multicore asymmetric multiprocessing (AMP), symmetric multiprocessing (SMP), and mixed modes and multi-OS (via Type 1 hypervisor) designs on 32- and 64-bit processors