The biggest problem with the newly discovered 11 vulnerabilities that affect critical infrastructure systems, Internet of Things, and other networking gear isn’t the hundreds of millions of devices that may be vulnerable. It’s the fact that the vulnerabilities are deep in the technology stack, and many enterprises may not even know they have the affected systems.
What you don't know about, you don't patch.
Researchers at Armis found the 11 vulnerabilities in Wind River VxWorks, a real-time operating system (RTOS) that hardware manufacturers frequently embed in industrial, medical, and enterprise devices. The devices include industrial control systems such as programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems, medical systems such as patient monitors and MRI machines, robotics and automation such as robotic arms and elevator controllers, and networking gear such as printers, satellite modems, Voice-over-IP phones, and firewalls.
“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses.”
The vulnerabilities, of which six are critical remote code-execution flaws, are collectively referred to as “URGENT/11.” The fact that the flaws are in the network protocol layer means attackers can remotely interfere with the device without a user to initiate the exploit. While the worst-case scenarios—such as man-in-the-middle attacks on the organization’s web traffic—would require some kind of user action, attackers can still take over devices and disrupt operations.
One of the vulnerability types, which encompasses four flaws (CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263) is particularly critical because attackers would be able to bypass traditional perimeter defenses, the researchers said. An attacker on the outside of the network can still get past the firewall and network address transversal (NAT) to exploit the vulnerable device by manipulating the TCP headers to include the exploit code.
“The most concerning issue with these 11 vulnerabilities identified by Armis is not the vulnerabilities themselves," said Deral Heiland, the IoT research lead at Rapid7. "We are always going to find vulnerabilities, but the bigger issue is, “how are we going to identify and patch the embedded devices deployed throughout our business environments that may be vulnerable?”
The bugs are present in any version of VxWorks since version 6.5, which was released in 2006. The latest version does not have the flaws. The flaws are also not present in any of the versions of VxWorks 653 or VxWorks Cert Edition, which is used for devices that need to first be certified.
In other words, critical infrastructure devices used in nuclear power plants and transportation systems are likely not vulnerable.
Not all vulnerabilities apply to all impacted versions,” Wind River said. “To date, there is no indication the Urgent/11 vulnerabilities have been exploited in the wild.
Wind River began distributing patches to customers in June, but considering the nature of the devices, the patching will likely have a “long tail” as enterprises uncover devices that need to be patched. In cases of the Internet of Things and industrial control systems, it would be a challenge to figure out which of the many devices in the organization’s environment is vulnerable. It is also harder to update code running in production networks and regulated environments, and many of these systems may require customized processes.
In cases like patient monitors and medical equipment, the fixes have to get approval from the Food and Drug Administration, for example.
"When it comes to embedded devices, its common to see organizations deploy and forget, which leads to issues were we don’t know if we are vulnerable," Heiland said.
The attack surface also extends beyond Wind River, as the company acquired the IPnet networking stack, the layer with the vulnerabilities, back in 2006 from another company. Prior to the acquisition, IPnet was broadly licensed and used by several real-time operating system vendors. This expands the attack surface significantly, since many manufacturers would have used the vulnerable component.
“These sets of vulnerabilities demonstrate how wide ranging, and indeed how far behind we are with assessment activities for IOT devices and their assorted sub systems,” said Stan Lowe, the global chief information security officer at Zscaler. “The old CISO adage of ‘know thy environment’ is now inclusive of our IOT devices that are prevalent in all of our environments, from our ‘smart’ devices to HVAC systems to refrigerators.”