2 Billion Devices Vulnerable to Critical ‘Urgent/11’ VxWorks RCE Flaws

Researchers at cybersecurity firm Armis have identified 11 zero-day vulnerabilities in VxWorks, the most popular real time operating system (RTOS). The vulnerabilities are collectively known as ‘Urgent/11’.

VxWorks is a real time operating system that is used in approximately 2 billion devices, from routers and VOIP phones to medical devices and critical infrastructure equipment.

The vulnerabilities could be exploited in an attack that could eventually lead to remote code execution and a full take over of a vulnerable device. No user interaction is required. Out of the 11 identified vulnerabilities, 6 are rated critical.

The operating system is owned and maintained by Alameda, CA-based Wind River, which acquired VxWorks from Interpeak in 2006. Interpeak developed the operating system more than 30 years ago but it still extensively used due to its ability to process data quickly and for its reliability. The OS is used in an extensive range of products, including elevators, industrial controllers, data acquisition systems, patient monitors, MRI machines, and firewalls.

“Unfortunately, real-time operating systems have not been researched as thoroughly as most consumer operating systems have, and VxWorks is not the only widely used RTOS,” said Armis researcher Seri Zusman. “So many more vulnerabilities might be lurking in these uncharted territories. On the other hand – there is a growing awareness of the various embedded systems, and on the various security risks they might have. So, we are on the right track.”

The vulnerabilities were all in the VxWorks TCP/IP (IPnet) which is used to connect to the Internet. Successful exploitation of one of the vulnerabilities would allow an attacker to bypass network address translation and the firewall and remotely attack and take full control of the device.

One of the main problems with many of the devices on which the operating system is installed is they cannot be scanned by vulnerability scanning products to identify vulnerabilities. They are also difficult to protect with existing IT security solutions.

IoT security firm Armis reported the flaws to Wind River and prior to the Armis announcement on Monday, Wind River had issued patches for several of the vulnerabilities.

Wind River chief security architect, Arlen Baker, explained that there have been no reported cases of the vulnerabilities being exploited in the wild, but it is nonetheless important to patch promptly. In particular, ”Organizations deploying devices with impacted versions of VxWorks that have the IPnet networking stack should patch impacted devices immediately,” said Baker.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news