11 Flaws In 2-Billion Devices Using An Unknown OS?
It is like being hit by a bullet that we never saw coming our way. That is how we at hackercombat.com describe the controversy with regards to VxWorks embedded OS’ TCP/IP bugs that are now affecting close to 2 billion Internet-connected devices globally. Now known as Urgent/11, a batch of 11 flaws affecting VxWorks, an operating system known only by engineers who made embedded Internet-connected devices that are being used by almost all industries and everyone who use gadgets.
But before we go deeper into the issue, let us step back and explain what is VxWorks. It is an embedded real-time operating system first launched publicly in 1987, thirty-two years ago. It is not a household name for an operating system for its entire duration of existence, as it is embedded in SOCs (system-on-a-chip). End users cannot interact with it in a practical way, and it operates independently as part of the functionality of embedded devices. Electronic devices from a simple Internet-connected light bulb (an IoT device) up to the NASA-made rovers Opportunity, Spirit and Curiosity have chips using VxWorks. All consumers exposed to electronic devices are using it without realizing it in the first place, like the operating system embedded on one’s microwave oven, car stereo systems, and even elevators.
Urgent/11 operates under the vulnerable TCP/IP stack bundled with VxWorks, the eleven flaws are categorized from medium-level threats like DoS (Denial of Service) vulnerability, mishandling of reverse ARP replies, IPv4 logical flaw and IGMP information leakage to critical level flaws such as remote code execution. Armis Labs, a cybersecurity consulting firm has pointed out that out of 11 flaws, six are categorized as critical. They are now described with their respective CVE numbers:
TCP Urgent Pointer state confusion due to race condition affecting VxWorks versions 6.6 and above.
TCP Urgent Pointer state confusion during connect to a remote host affecting VxWorks versions 6.7 and above
TCP Urgent Pointer state confusion caused by malformed TCP AO option affecting VxWorks versions 6.9.4 and above
Heap overflow in DHCP Offer/ACK parsing in ipdhcpc
TCP Urgent Pointer = 0 leads to integer underflow affecting VxWorks versions 6.5 to 6.9.3
Stack overflow in the parsing of IPv4 packets IP options
“URGENT/11 are the most severe vulnerabilities found in VxWorks to date, which has suffered from only 13 public CVEs in its 32-year history. URGENT/11 is a unique group of vulnerabilities that allow attackers to circumvent NAT and firewalls and take control over devices remotely via the TCP/IP stack undetected, with no user interaction required. This is due to the vulnerabilities’ low level position inside the TCP/IP stack, which enables attacks to be viewed as legitimate network activity,” emphasized Armis Lab’s representative.
Win River, the company who is responsible for the release and maintenance of VxWorks operating system has released version 7 of the firmware. However, we bring-up the same issue of updating the firmware, similar on how Android has a fragmentation problem. It will be very difficult for all 2-billion vulnerable devices to be flashed with the fixed v7 of VxWorks. There will always be devices in the Internet that will continue to run the vulnerable old version of the firmware.