11 zero-day vulnerabilities have been discovered in one of the world’s most widely used IoT operating systems. VxWorks is so common that it is used in over 2 billion devices around the world, including by most major Industrial control brands.
The security researchers Armis, who discovered and disclosed the vulnerability have estimated that over 200 million devices may be exposed and at risk of a potential attack. Six of the eleven identified vulnerabilities have been classified as critical, enabling Remote Code Execution (RCE) through network connectivity to target the core underlying OS; described by Armis as “the holy grail for attackers”.
Due to the high likelihood of exposure to the VxWorks vulnerabilities TES are recommending that our clients undertake the following steps.
- Identify and Patch vulnerable devices:
You need to urgently identify all devices that use VxWorks and reach out to the device manufacturers for information about patching the software on each device. Most of the major industrial control brands use VxWorks and may be vulnerable. TES are able to conduct onsite scanning to detect affected devices on ICS networks. Please contact us to discuss this further or to arrange an appointment.
- Shield all vulnerable devices via network controls:
Temporarily segment your network to ensure that any vulnerable device is isolated within a small subnet until you can patch or replace vulnerable devices.
- Monitor vulnerable devices for evidence of compromise:
Monitor all devices that are running vulnerable versions of VxWorks for indication of compromise at network level.
We are aware that many ICS environments are running older (vulnerable) versions of VxWorks, have no patch management strategy for ICS and heavily rely on air gaps which cannot be effectively monitored. Should this be the case for you we recommend that you contact ICS Cyber Security experts such as TES Cybersafe for advice and assistance.
A list of CVE’s for each vulnerability is included below;
Critical Vulnerabilities allowing remote-code-execution:
- Stack overflow in the parsing of IPv4 options
- CVE-2019-12256 affecting VxWorks v6.9.4 or above
- Four memory corruption vulnerabilities stemming from erroneous handling of TCP’s Urgent Pointer field
- CVE-2019-12255 affecting VxWorks v6.5 to 6.9.3
- CVE-2019-12260 affecting VxWorks v6.94 and above
- CVE-2019-12261 affecting VxWorks v6.7 and above
- CVE-2019-12263 affecting VxWorks v6.6 and above
- Heap overflow in DHCP Offer/ACK parsing in ipdhcpc
- CVE-2019-12257 affecting VxWorks v6.5 to 6.9.3
Vulnerabilities leading to denial of service, information leak or certain logical flaws:
- TCP connection DoS via malformed TCP options
- CVE-2019-12258 affecting VxWorks v6.5 and above
- Handling of unsolicited Reverse ARP replies (Logical Flaw)
- CVE-2019-12262 affecting VxWorks v6.5 and above
- Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
- CVE-2019-12264 affecting VxWorks v6.5 and above
- DoS via NULL deference in IGMP parsing
- CVE-2019-12259 affecting VxWorks v6.5 and above
- IGMP Information leak via IGMPv3 specific membership report
- CVE-2019-12265 affecting VxWorks v6.9.3 and above
For further information about the 11 zero-day vulnerability please visit the Armis website.