Armis finds VxWorks bug in 200mn devices, have fun patching

Some 200mn devices running Wind River’s VxWorks real-time operating system (RTOS) are vulnerable to a cluster of 11 vulnerabilities discovered by Armis, a cybersecurity firm. Wind River has already started working on fixes, but notes that patching is going to be difficult. So, water continues to be wet, bears continue to do business in woods, and IoT security is still woeful.

Perhaps the narrative should shift to just accepting this sorry state of affairs – the inevitability of insecurity, the complete lack of motivation or urgency from customers to implement fixes, the perplexation of governments as to how to get a handle on the problem. This sounds like conceding defeat, but perhaps it is just pragmatism.

There are north of 2bn devices using VxWorks, and this selection of errors has existed since 2006 according to Armis. The company believes six of these enable remote access to the device and allow for worm-like propagation, which could have disastrous results given the use of RTOS in some very critical functions and systems. The new findings, called Urgent/11, should be triggering WannaCry flashbacks in sysadmins.

“Finding a vulnerability in the network layer means it would affect any device that is using this operating system and that has networking capabilities,” said Ben Seri, VP Research at Armis, speaking to Wired. “It’s like the holy grail of vulnerability research finding something in that layer.”

The full details are being presented at Black Hat next week, but Armis disclosed the discovery to Wind River in March. Initial patches have been issued by the developer, but because so many RTOS instances are running processes that can’t be interrupted, actually getting these systems updated could be practically impossible.

An added wrinkle is that so many of the industrial RTOS deployments are going to be on devices that have limited or no connectivity. This is a blessing and a curse, in that you can’t remotely attack a device with no direct internet connection, but it does mean that anyone in sufficient proximity could run riot with the code and that getting patches to these systems requires site visits and very likely downtime.

“VxWorks is used so pervasively that there’s going to be a very long tail of patching,” says Michael Parker, Armis’ chief marketing officer. “It’s things like firewalls or robotic arms, or think about patient monitors and medical equipment. They have to basically create a whole new operating system and get FDA approval. You can’t just shut down a product line and do these updates.”

As for how Urgent/11 has come to pass, there are going to be some pointed questions leveled at Wind River – the former Intel business that is now owned by private equity investors. The bugs are present in the TCP/IP stack, that is, the internet protocol that lets these devices communicate. This stack has been essentially free of errors since the turn of the century, as it is a pretty standard part of all connected devices.

It seems that Wind River must have been doing some tinkering to introduce this problem, but the company notes that Urgent/11 is not present in the current version of VxWorks, nor in its certified versions. The latter inclusion is good news for those who have been relying on the certification to ensure that no such bugs are present.

Whatever issue Wind River has introduced to its code, the result is the same – this is a very embarrassing problem that is going to knock customer confidence for some time. So far, no damage has been done, but once the vulnerabilities are out in the wild, an attacker could use them to take systems offline or inflict damage.

“Not all vulnerabilities apply to all impacted versions. To date, there is no indication the Urgent/11 vulnerabilities have been exploited in the wild,” Wind River said in a statement. “Those impacted make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organizational networks that are internet-facing such as modems, routers, and printers, as well as some industrial and medical devices. Organizations deploying devices with VxWorks should patch impacted devices immediately.”