The cybersecurity researchers at Armis have discovered 11 zero-day vulnerabilities in the Wind River’s VxWorks RTOS (Real-Time Operating System).
VxWorks is one of the most popular operating systems for IoT devices, used by more than 2 billion devices around the world. It powers connected devices used for many purposes, such as MRI machines, firewalls, printers, airplanes, trains, etc.
Dubbed URGENT/11, the new vulnerabilities could allow hackers to take over devices remotely without the need of any user interaction. This might affect critical infrastructure systems, including SCADA, elevator and industrial controllers, patient monitors and MRI machines, as well as firewalls, routers, modems, VOIP phones and printers.
The vulnerabilities that reside in VxWorks are impacting all the versions across industrial, medical and enterprise environments.
The other operating systems connected with VxWorks like IPnet stack are also possibly affected. Out of the eleven, the six vulnerabilities are critical and might enable the attackers to get full control over any targeted device using unauthenticated network packets.
“URGENT/11 are the most severe vulnerabilities found in VxWorks to date, which has suffered from only 13 public CVEs in its 32-year history. URGENT/11 is a unique group of vulnerabilities that allow attackers to circumvent NAT and firewalls and take control over devices remotely via the TCP/IP stack undetected, with no user interaction required. This is due to the vulnerabilities’ low level position inside the TCP/IP stack, which enables attacks to be viewed as legitimate network activity,” explained Armis Labs.
These six critical vulnerabilities are:
- Stack overflow in the parsing of IPv4 packets IP options (CVE-2019-12256)
- TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255) affecting VxWorks versions 6.5 to 6.9.3.
- Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)
- TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260) affecting VxWorks versions 6.9.4 and above
- TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261) affecting VxWorks versions 6.7 and above.
- TCP Urgent Pointer state confusion due to race condition (CVE-2019-12263) affecting VxWorks versions 6.6 and above.
Five less severe vulnerabilities are:
- TCP connection DoS via malformed TCP options (CVE-2019-12258)
- DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
- Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)
- Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)
- IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)
Armis and Wind river have been working together to fix the security flaws. The latest version of VxWorks (v7) released on July 19 comes with the patches for these vulnerabilities.