Armis labs says it has found 11 zero-day vulnerabilities, which it calls URGENT/11, in the widely-used but little-discussed operating system. It runs on millions of IoT devices, patient monitors, MRI machines and more.

VxWorks OS is vulnerable to remote takeover

By Benjamin Harris
09:00 AM

It’s the operating system that runs the elevator, the HVAC system, medical equipment, and even the router that connects everything else in a hospital to the outside world.

Wind River Systems’ VxWorks real time operating system powers these devices and more. But pervasive vulnerabilities in versions going back over a decade have recently been discovered. The vulnerability is within the TCP/IP (IPnet) stack, which exists in a wide range of older IoT devices.

However, according to Wind River Systems’ FAQ, the latest release of VxWorks is not affected. Wind River has recommended that organizations deploying devices with impacted versions of VxWorks patch immediately and said it has fully tested patches to address the TCP/IP (IPnet) stack vulnerabilities.

WHY IT MATTERS
Researchers at Armis, who call VxWorks "the most widely used operating system you may never (have) heard about," have discovered 11 vulnerabilities, six of them critical, that affect Wind River VxWorks versions since version 6.5 – and are collectively referring to them as "URGENT/11."  Wind River notes that certain releases, including its latest release, are not affected. Six of the 11 vulnerabilities are remote code execution vulnerabilities. Other vulnerabilities include denial of service vulnerabilities.

The significance of the RCE vulnerabilities is that successful exploitation could allow a hacker to remotely take over the impacted devices. Successful exploitation of other vulnerabilities could lead to leakage of information, denial of service, and logical flaws.  Additionally, these vulnerabilities can be exploited by an unauthenticated remote attacker.

"The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern," said Ben Seri, vice president of research at Armis.

VxWorks and operating systems with similar vulnerabilities are the lightweight and powerful systems that drive many mission critical and specific-use devices. These devices range from perimeter-level ones like routers and firewalls to medical equipment which sit inside secured networks like connected medical devices.

The consequences of any of them being brought to outside control could directly impact everything from the routine functioning of a hospital’s basic facilities to life-critical operations.

Wind River has issued patches and is working on mitigation with customers, but as Wired has pointed out, addressing such widespread IoT updates can be a long process.

On Tuesday, the U.S. Department of Homeland Security put out a Cybersecurity and Infrastructure Security Agency ICS Advisory that explained the vulnerability in detail and offered mitigation information.

THE LARGER TREND
The healthcare industry has been recognized as both target-rich and easy pickings. Any new vulnerability to something so deep-seated in a hospital’s network architecture should reinforce the need to be willing to spend big on investments to security.

This is doubly true with the relatively new class of IoT devices which are currently expanding inside hospitals at a meteoric pace. While this is hardly the first instance of a connected IoT medical device getting hacked, any news of new vulnerabilities makes for a call to action on security.

ON THE RECORD
"URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security," said Yevgeny Dibrov, CEO and co-founder of Armis. "Every business with these devices needs to ensure they are protected. The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk."

"Wind River’s dedicated security incident response team worked closely with Armis to ensure customers were notified and provided patches and mitigation options," said Arlen Baker, Wind River's chief security architect, in a blog post. This shared, collaborative process was designed and executed to help device makers mitigate potential risks to their users. We thank the security researchers for their role in helping us discover these vulnerabilities in the IPnet networking stack."

Benjamin Harris is a Maine-based freelance writer and former new media producer for HIMSS Media.
Twitter: @BenzoHarris.