Friday, November 1, 2024
HomeCyber Security News11 Zero-Day Vulnerabilities Found in VxWorks RTOS - 2 Billion Devices...

11 Zero-Day Vulnerabilities Found in VxWorks RTOS – 2 Billion Devices are Vulnerable to Remote Hack

Published on

Malware protection

Researchers discovered 11 zero-day vulnerabilities dubbed “URGENT/11”  in the most widely used operating system VxWorks, a Real-Time Operating System (RTOS) family.

VxWorks is Developed as proprietary software by Wind River Systems used in 2 billion devices including Firewalls, MRI machines, printers, SCADA devices and other areas such as critical infrastructure, networking equipment, medical devices, industrial systems, and even spacecraft, airplanes, trains.

Dubbed “URGENT/11,” vulnerabilities reside in the VxWorks’ TCP/IP stack (IPnet) over past 13 years and affected almost all version from 6.5.

- Advertisement - SIEM as a Service

Team of Researchers from Armis Labs uncovered these vulnerabilities and the company is known to disclose some of the critical bugs such as BLEEDINGBIT and BlueBorne, Bluetooth vulnerabilities that affected more than 5 billion devices.

Among 11 vulnerabilities, 6 of them are classified as “critical” and rest of the vulnerabilities classified as a denial of service, information leaks or logical flaws.

Nature of these vulnerabilities let attackers allow to remotely take over the vulnerable devices including industrial, medical and enterprise devices without any user interaction and also allows to bypass security devices such as firewall and NAT.

In order to exploit the critical system and bypass the security devices, attachers sending a specially crafted TCP Pocket and take complete control and it provides a gateway to control other systems by remotely broadcast the malicious packets.

URGENT/11 Vulnerabilities Attack Scenarios

Researchers described a 3 different type of attack scenarios that propose the significant risk to all of the impacted VxWorks connected devices and URGENT/11 can be used by an attacker to take control over a device in different situations

Scenario 1: Compromise the Network Defence bypass

In the first scenario, vulnerable perimeter devices such as firewalls will take over by the attacker from the internet using the URGENT/11 vulnerabilities and an attacker can launch a direct attack to take over the complete control of the devices such as laptop, desktop, printers and more.

Let’s take a SonicWall firewall that runs on the vulnerable VxWorks OS as an example. and the shodan record shows over 808K SonicWall firewalls connected to the Internet.

Scenario 2: Network Bypassing Security From Outside

“Using URGENT/11  and an Internet connection, an attacker can launch a direct attack with a specially crafted TCP packet and take control over all firewalls at once and compromising all of the networks behind them.”

Similarly, Attackers compromise an IoT device connected to the cloud from within a secure network — such as a Xerox printer by intercepting the printer’s TCP connection to the cloud.

Scenario 3: Attack within the network

Attackers taking advantages of Prior attacks, send the targeted VxWorks device packets capable of taking full control over the device, without any form of user interaction.

For example, “a critical device that has only internal network connections: the patient monitor in a hospital. Even though it has no connection to the Internet, by infiltrating the network an attacker can nevertheless take it over. “

Affected Devices and Vulnerabilities

According to Armis Research, the URGENT/11  vulnerabilities affect all VxWorks versions since version 6.5, excluding versions of the product designed for certification, such as VxWorks 653 and VxWorks Cert Edition

The following list of devices is impacted by URGENT/11 vulnerabilities.

  • SCADA devices
  • Industrial controllers
  • Patient monitors
  • MRI machines
  • Firewalls
  • VOIP phones
  • Printers

Following 6 Vulnerabilities allows attackers to perform remote code execution.

CVE-2019-12256Stack overflow in the parsing of IPv4 options
CVE-2019-12255memory corruption vulnerability
CVE-2019-12260memory corruption vulnerability
CVE-2019-12261memory corruption vulnerability
CVE-2019-12263memory corruption vulnerability
CVE-2019-12257Heap overflow in DHCP

5 Vulnerabilities allow attackers to perform a denial of service, information leak or certain logical flaws.

CVE-2019-12258 – TCP connection DoS via malformed TCP options
CVE-2019-12262 – Handling of unsolicited Reverse ARP replies
CVE-2019-12264 – Logical flaw in IPv4 assignment by the ​ipdhcpc DHCP
CVE-2019-12259 – DoS via NULL dereference in IGMP parsing
CVE-2019-12265 – IGMP Information leak via IGMPv3 specific membership report
.

You can also read the complete technical details of these vulnerabilities here in White Paper.

Armis has been reported all the vulnerabilities to Wind River®, the maintainer of VxWorks, and the latest VxWorks 7 released on July 19 contains fixes for all the discovered vulnerabilities.

SponsoredDownload Free GDPR Comics Book – Importance of Following General Data Protection Regulation (GDPR) to protect your Company Data and user privacy

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...