Share this article on:
Security researchers at Armin have identified 11 vulnerabilities in the VxWorks real-time operating system that is used in around 2 billion IoT devices, medical devices, and control systems.
Six of the vulnerabilities have been rated critical and can be exploited remotely with no user interaction required. A successful exploit would allow a hacker to take full control of an affected device. The vulnerabilities are collectively known as “Urgent/11”
VxWorks was first created more than 30 years ago and was developed to serve as an ultra-reliable operating system capable of processing data quickly. Today, VxWorks is the most popular real-time operating system in use and can be found in patient monitors, MRI machines, elevator control systems, industrial controllers, data acquisition systems, modems, routers, firewalls, VOIP phones, and printers.
Armin researchers alerted Wind River about the flaws and patches have now been issued to address the vulnerabilities. Wind River said all currently supported versions of VxWorks are affected by at least one of the vulnerabilities. The vulnerabilities are all in the transmission control protocol/Internet protocol (TCP/IP) stack of VxWorks, also known as IPnet.
The vulnerabilities are:
- CVE-2019-12256 – Stack-based buffer overflow – CVSS v3: 9.8
- CVE-2019-12257 – Heap-based buffer overflow – CVSS v3: 8.8
- CVE-2019-12255 – Integer Underflow – CVSS v3: 9.8
- CVE-2019-12260 – Improper restriction of operations in memory buffer – CVSS v3: 9.8
- CVE-2019-12261 – Improper restriction of operations in memory buffer – CVSS v3: 8.8
- CVE-2019-12263 – Concurrent execution using shared resource with improper synchronization – CVSS v3: 8.1
- CVE-2019-12258 – Argument injection or modification – CVSS v3: 7.5
- CVE-2019-12259 – Null pointer dereference – CVSS v3: 6.3
- CVE-2019-12262 – Argument injection or modification – CVSS v3: 7.1
- CVE-2019-12264 – Argument injection or modification – CVSS v3: 7.1
- CVE-2019-12265 – Argument injection or modification – CVSS v3: 5.4
Some of the vulnerabilities affect VxWorks versions which are at or approaching end of life (Versions back to 6.5) and also the now discontinued product, Advanced Networking Technology (ANT). Wind River also reports that one of the vulnerabilities – CVE-2019-12256 – also affects the WvWorks bootrom network stack, as it leverages the same IPnet source as VxWorks.
The following VxWorks products are not affected:
- VxWorks 5.3 to VxWorks 6.4 inclusive
- VxWorks Cert versions
- VxWorks 653 Versions 2.x and earlier.
- VxWorks 653 MCE 3.x Cert Edition and later.
Patches for the affected VxWorks versions can be obtained by emailing Wind River- SIRT@windriver.com – and stating the which version needs to be patched. Xerox and Rockwell Automation have released their own security advisories about the vulnerabilities.
Affected individuals have been advised to apply the patches as soon as possible. Wind River said there have been no reported instances of the vulnerabilities being exploited in the wild.