HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Critical VxWorks Vulnerabilities Impact 2 Billion Devices

Security researchers at Armin have identified 11 vulnerabilities in the VxWorks real-time operating system that is used in around 2 billion IoT devices, medical devices, and control systems.

Six of the vulnerabilities have been rated critical and can be exploited remotely with no user interaction required. A successful exploit would allow a hacker to take full control of an affected device. The vulnerabilities are collectively known as “Urgent/11”

VxWorks was first created more than 30 years ago and was developed to serve as an ultra-reliable operating system capable of processing data quickly. Today, VxWorks is the most popular real-time operating system in use and can be found in patient monitors, MRI machines, elevator control systems, industrial controllers, data acquisition systems, modems, routers, firewalls, VOIP phones, and printers.

Armin researchers alerted Wind River about the flaws and patches have now been issued to address the vulnerabilities. Wind River said all currently supported versions of VxWorks are affected by at least one of the vulnerabilities. The vulnerabilities are all in the transmission control protocol/Internet protocol (TCP/IP) stack of VxWorks, also known as IPnet.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The vulnerabilities are:

  • CVE-2019-12256 – Stack-based buffer overflow – CVSS v3: 9.8
  • CVE-2019-12257 – Heap-based buffer overflow – CVSS v3: 8.8
  • CVE-2019-12255 – Integer Underflow – CVSS v3: 9.8
  • CVE-2019-12260 – Improper restriction of operations in memory buffer – CVSS v3: 9.8
  • CVE-2019-12261 – Improper restriction of operations in memory buffer – CVSS v3: 8.8
  • CVE-2019-12263 – Concurrent execution using shared resource with improper synchronization – CVSS v3: 8.1
  • CVE-2019-12258 – Argument injection or modification – CVSS v3: 7.5
  • CVE-2019-12259 – Null pointer dereference – CVSS v3: 6.3
  • CVE-2019-12262 – Argument injection or modification – CVSS v3: 7.1
  • CVE-2019-12264 – Argument injection or modification – CVSS v3: 7.1
  • CVE-2019-12265 – Argument injection or modification – CVSS v3: 5.4

Some of the vulnerabilities affect VxWorks versions which are at or approaching end of life (Versions back to 6.5) and also the now discontinued product, Advanced Networking Technology (ANT). Wind River also reports that one of the vulnerabilities – CVE-2019-12256 – also affects the WvWorks bootrom network stack, as it leverages the same IPnet source as VxWorks.

The following VxWorks products are not affected:

  • VxWorks 5.3 to VxWorks 6.4 inclusive
  • VxWorks Cert versions
  • VxWorks 653 Versions 2.x and earlier.
  • VxWorks 653 MCE 3.x Cert Edition and later.

Patches for the affected VxWorks versions can be obtained by emailing Wind River- [email protected] – and stating the which version needs to be patched. Xerox and Rockwell Automation have released their own security advisories about the vulnerabilities.

Affected individuals have been advised to apply the patches as soon as possible. Wind River said there have been no reported instances of the vulnerabilities being exploited in the wild.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.