'Urgent/11' Vulnerabilities Affect Many Embedded Systems
Security researchers with security vendor Armis have disclosed 11 different zero-day vulnerabilities within VxWorks, a real-time operating system used in some 2 billion embedded systems that include medical devices, routers, VOIP phones and even mission-critical infrastructure equipment, the company detailed on Monday. This collection of vulnerabilities, which Armis calls "Urgent//11," could lead to remote code execution and allow an attacker to take over a whole system without interacting with the user. Of the 11 flaws, six are deemed critical.
VxWorks is a widely-used real-time operating system that is owned and maintained by Wind River, headquartered in California. Unlike Microsoft Windows or Linux, these types of operating systems are found in various embedded and internet of things systems and typically process data quickly and allow for a high-degree of reliability. VxWorks has been deployed across different markets for more than 30 years and is still used in numerous embedded systems and IoT devices, including mission critical supervisory control and data acquisition systems, such as elevator and industrial controllers, as well as patient monitors, MRI machines, firewalls, routers, modems, VOIP phones and printers.
What also makes the vulnerabilities deemed critical a security concern is that the Armis researchers found that since flaws do not require user interaction, an exploit using remote code execution could spread malware from one vulnerable device to another within a network in the same way that the WannaCry ransomware and a newer Windows vulnerability called BlueKeep are both "wormable"
The URGENT/11 vulnerabilities affect all versions of the VxWorks software starting with the 6.5 release. The flaws, however, do not affect products designed for certification - such as VxWorks 653 and VxWorks Cert Edition - which are used by selected industries such as transportation, according to Armis.