Recently, Armis Labs, a security research firm focused on “internet of things” devices and cybersecurity, announced the discovery of a series of zero-day vulnerabilities in Wind River Systems’ VxWorks operating system. The findings indicate that this series of vulnerabilities impacts approximately 200 million devices, including routers, modems, firewalls, printers, VoIP phones, SCADA systems, MRI machines and elevators.
Armis Labs is referring to this group of vulnerabilities as “URGENT/11.”
Understanding VxWorks
Even if the name VxWorks is unfamiliar to you, the devices that utilize it likely aren’t. VxWorks is a real-time operating system (RTOS) designed for embedded systems that require highly reliable operations, from critical infrastructure to medical devices. It is the most widely used RTOS in the world. According to Armis Labs, the actual number of companies whose devices use VxWorks is astonishing, and the list includes Siemens, ABB, Emerson Electric, Rockwell Automation, Mitsubishi Electronic, Samsung, Ricoh, Xerox, NEC and Arris.
The URGENT/11 vulnerabilities are present in all versions of VxWorks since 6.5. Some will enable remote code execution, making them critical to the security of those devices. Other vulnerabilities on the list are classified as denial of service, information leaks or logical flaws.
Effects on VxWorks Devices
URGENT/11 vulnerabilities allow an attacker to enter and control devices without user interaction and bypass perimeter security devices, such as firewalls and NAT solutions. This access can be used to propagate malware into networks. The WannaCry malware attack in May 2017 is an example of a similar attack, which took advantage of the EternalBlue vulnerability.
VxWorks devices also lack the ability to install security agents, such as antivirus software. However, VxWorks does include some optional mitigations, such as data execution prevention (DEP) and address space layout randomization (ASLR), that could make some of the URGENT/11 vulnerabilities harder to exploit. Unfortunately, Armis Labs did not find evidence that these mitigation tactics were being implemented in the devices tested. This combination of factors should make URGENT/11 vulnerabilities a top priority for the industries that utilize vulnerable devices.
How to Protect Your Assets
Addressing these vulnerabilities will require significant effort for many organizations. The first challenge is to determine what devices are affected.
Most manufacturers don’t broadcast the use of VxWorks within their products, so having a good asset inventory — in which the asset managers have taken steps to determine what software is loaded on their assets — will help in the initial triage of affected devices. Baseline information should include operating system and application versions running, even on industrial control system (ICS) devices like programmable logic controllers (PLCs), remote terminal units (RTUs) and distributed control system (DCS) controllers. Sometimes, it takes a vulnerability scanning tool to collect this information on more locked down or proprietary devices.
Second, a strong patch management program — in which vendor sites are regularly monitored for security patches — will help organizations track when a fix becomes available for their devices. Passively waiting for vendors to send out notifications is less effective than actively monitoring a company’s software repositories. In addition, regular vulnerability assessments of critical devices should be performed to determine if anything was missed during regular patching cycles, and to hopefully catch any unusual incidents taking place on the network.
Partnering with an experienced team can make the mitigation process for this vulnerability smoother and more effective. Burns & McDonnell has extensive experience in asset management, patch management, vulnerability assessment and incident response. Don’t hesitate to reach out if your organization needs assistance.
Building an effective security plan is paramount to protecting your organization against evolving threats. See how to do it.