Crucial VxWorks OS Zero-Day Exploits Put 200 Million Devices At Severe Security Risk

It is big news when a major vulnerability is discovered and exploited in Windows, because there is the potential to do a lot of harm. We saw this when WannaCry crippled UK hospitals for a short time (fortunately, it was mitigated rather quickly). Now, you may not have heard of VxWorks, a real-time operating system (RTOS), but a series of recently discovered security flaws is no less concerning.

Wind River (acquired by Intel in 2006 and sold to TPG in 2018) describes VxWorks as "the most widely used operating system you may never have heard about." That is probably accurate for the average person. While not as widely known as Windows or macOS, VxWorks is installed on more than 2 billion embedded devices and systems.

Researchers at Armis Labs found nearly a dozen potentially serious security vulnerabilities, called Urgent/11, affecting VxWorks. The flaws affect an estimated 200 million devices, including things like routers, modems, firewalls, printers, VoIP phones, SCADA systems, Internet of Things (IoT) devices, and MRI machines, and even elevators.

"The actual extent of VxWorks devices is astonishing, including Siemens, ABB, Emerson Electric, Rockwell Automation, Mitsubishi Electronic, Samsung, Ricoh, Xerox, NEC, and Arris, among others," Armis Labs says.

This is serious stuff, considering the reach that VxWorks has—NASA's 2018 InSight Mars Lander mission even used a version of VxWorks (though it's not clear if it's affected).

The 11 flaws include six critical remote execution exploits, and five that are less severe but could still result in denial of service (DoS) attacks, information leaks, and logic errors. An attacker that targets a VxWorks device can exploit its TCP/IP stack without any user interaction, and take control remotely. This would not be detected (or stopped) by a firewall.

These security holes are present in every version of VxWorks dating back to v6.5 released in 2006 (VxWorks 653 and VxWorks Cert Edition used in safety-critical systems are not affected). There are patches available, and Armis Labs says they should be applied immediately.