What You Should Do About the URGENT/11 VxWorks Vulnerabilities
The industry is currently buzzing with the news that researchers at Armis labs have found 11 zero-day vulnerabilities in the VxWorks operating system.
Although VxWorks may not have the mindshare of operating systems such as Linux, Windows or Android, it powers an estimated 2 billion critical industrial, medical and enterprise devices. Cited examples include Supervisory Control and Data Acquisition (SCADA), elevator and industrial controllers, patient monitors and MRI machines, as well as firewalls, routers, modems, VoIP phones, and printers.
Some of the known details about the specific vulnerabilities from the Armis Labs website:
The 11 vulnerabilities reside on the VxWorks TCP/IP stack (called IPnet), impacting all versions of VxWorks since v6.5. VxWorks has been in market since 1987 and due to the difficulties in upgrading many of the critical devices that are based on VxWorks, there are many aging versions of the operating system estimated to be in market.6 of 11 the vulnerabilities are classified as critical. The impact is said to be serious as they can enable attackers to take over devices without user interaction; even bypassing perimeter security devices such as firewalls and NATDue to the vulnerabilities’ low-level position inside the TCP/IP stack, it enables attacks to be viewed as legitimate network activity.There is a concern that the vulnerabilities are “wormable” and they can be used to propagate malware into and within the network. These vulnerabilities might have an even wider reach than just VxWorks operating systems, as IPnet was used in other operating systems, prior to its acquisition by VxWorks in 2006.The latest release of VxWorks v7 contains fixes for all the 11 discovered vulnerabilities
Armis Labs has published three videos demonstrating different attacks, including a take-over of a Xerox printer and a SonicWall firewall. However, the most compelling video is the hijacking of a patient monitoring system with the patient data actively manipulated as it is monitoring a live patient.
Determining Your Impact
It is likely that your network has devices that run VxWorks, particularly if you are in the healthcare, utilities or manufacturing verticals.
Networking and security providers may also leverage VxWorks in their products, with the level of exposure varying based on the product and/or VxWorks version. Note that Extreme Networks runs a restricted version of VxWorks within our BOSS (found in our Ethernet Routing Switch portfolio) and our EOS operating systems (found within S and K-Series products and the 7100 Series products). Details on workarounds and fixes for many of the URGENT/11 vulnerabilities can be found on the Extreme Support Portal. This site will continue to be updated as more information is gathered.