Security researchers have identified multiple zero-day vulnerabilities, collectively named URGENT/11, within VxWorks, a prevalent real-time operating system (RTOS) embedded in over 2 billion devices across various sectors, including aerospace, medical, and industrial applications. This newly uncovered threat poses significant risk, especially given that six of the eleven vulnerabilities are classified as critical, potentially enabling severe cyberattacks with devastating consequences.
The report, shared by Armis researchers with The Hacker News prior to its release, highlights the potential for these vulnerabilities to allow remote attackers to bypass conventional security measures, thereby gaining complete control over affected devices with no user interaction required. According to the researchers, such exploits could cause disruptions akin to those seen with the notorious EternalBlue vulnerability.
Although many users may be unfamiliar with VxWorks, it powers an array of everyday Internet of Things (IoT) devices, including webcams, routers, and even traffic lights. Its application extends to mission-critical systems like SCADA, MRI machines, and various industrial controls, which raises alarms regarding the potential impact on public safety and operational integrity.
The identified URGENT/11 vulnerabilities lie within the IPnet TCP/IP networking stack, present since VxWorks version 6.5. This longstanding issue renders all versions of the OS released over the last 13 years susceptible to various attacks. Among the vulnerabilities, several facilitate remote code execution, while others could cause denial-of-service situations or data leaks.
These exploits enable attackers to send specially crafted TCP packets to affected devices, effectively manipulating them without needing prior access or knowledge about the specific target. While not every version of VxWorks is susceptible to all eleven flaws, at least one critical remote code execution flaw exists in each version, underlining the gravity of the situation.
Researchers emphasize that while VxWorks has built-in mitigations that could complicate the exploitation of some vulnerabilities, manufacturers rarely implement these measures. Additionally, it is suspected that flaws within URGENT/11 could potentially affect other RTOS as well, considering the historical use of the IPnet stack in various operating systems before its acquisition by VxWorks.
As for attack vectors, researchers outline several scenarios through which these vulnerabilities may be exploited. One prominent method involves targeting networking and security devices—such as switches and routers—that are directly accessible via the Internet. A study indicates that more than 775,000 SonicWall firewalls running VxWorks are currently exposed, presenting significant risks for network security.
Another concern arises from the possibility of attacking IoT devices that are indirectly connected to the Internet, using methods such as DNS manipulation or man-in-the-middle attacks to breach cloud communication channels. Similarly, attackers already present within a network could exploit VxWorks vulnerabilities even when the affected devices lack external connectivity.
The implications of these vulnerabilities are severe; they not only threaten data integrity but also pose risks to critical infrastructure and human safety. Experts warn that compromised industrial controllers could lead to dangerous situations within manufacturing environments, while a breached patient monitoring system might have life-threatening implications.
Armis has responsibly disclosed these findings to Wind River Systems, which has since notified numerous device manufacturers and rolled out patches to mitigate the vulnerabilities. However, the process of patch distribution and implementation is expected to be prolonged and challenging, particularly within the realms of IoT devices and essential services.
Ultimately, while some manufacturers like SonicWall and Xerox have already developed patches for their systems, the widespread nature of the vulnerabilities underscores the need for vigilance within the tech community, as well as the implementation of robust cyber hygiene practices going forward. This incident serves as a stark reminder of the ongoing cybersecurity challenges faced by businesses utilizing embedded systems in their operations.