Ever Heard of VxWorks? Me Either!
Turns out that VxWorks is an extremely popular “real time” operating system or RTOS. RTOSes are used in devices that need to be able to respond to real time events, unlike, say Windows, Linux or MacOS. VxWorks can make sure that say, if an MRI machine is zapping someone with energy in order to create an image and the computer decides that the patient has received enough energy, the beam is turned off. NOW! RIGHT NOW! Windows, Linux and MacOS would turn it off too, but it might happen a little later – possibly killing the patient in the process, which is generally not considered a desirable outcome.
So who uses VxWorks? Apparently about 2 BILLION devices. These include firewalls, routers, printers, the MRI machines that I talked about above, patient monitors, satellite phones, industrial control (SCADA) devices, VOIP phones and many other devices.
One other benefit of RTOSes is that they are small. Very small. For example, Microsoft recommends 2 Gig of RAM and 20 Gig of disk for Windows 10. VxWorks will work with 1 Meg of RAM and 512K of ROM. More is better, but, as you can see, it will work in a very small footprint.
Researchers found 11 serious flaws in VxWorks, most of which allow an attacker to compromise the system without any user interaction at all.
Wind River, the company that makes VxWorks has released patches and they also say that, while they don’t really know, all 2 billion devices are not as equally compromisable. Maybe ONLY 200 million are at high risk (well, not a big deal then – ONLY 200 million devices). Of course the low risk devices become high risk as soon as an attacker compromises the crunchy outer shell of your network. It is also not clear that they know every place that VxWorks is deployed since many companies might buy it from a third party.
Two vendors who have publicly announced patches are Xerox and Sonicwall. Users may be used to patching their Sonicwall firewalls, but how many users patch their Xerox printers and copiers?
The researchers say that attacks against VxWorks (named URGENT/11) can be detected at your firewall. Unless the firewall is being attacked or it the attacker is launching the attack from an otherwise compromised device inside your network or the device is located on the public Internet. Researchers demonstrated the attack against Sonicwall, Xerox and also a patient monitor at Blackhat recently.
So what do you do?
This is where those Bill of Materials that I have talked about for a long time come into play (even though most vendors can’t or won’t provide one). Alternatively, you need to ask vendors if they are vulnerable to the URGENT/11 attack. Start with vendors who’s equipment is (a) mission critical, (b) exposed to the Internet, (c) affects life safety or (d) could kill you (as in a patient monitor or SCADA device). ANY one of (a), (b), (c) or (d) qualifies. Two or more ups the risk.
Make sure that your Firewalls and intrusion detection/prevention systems have signatures to detect URGENT/11. While this is not perfect for the reasons I mentioned before, it can’t hurt.
Be alert to unusual network behavior. This could be an indication that your network has been infiltrated.
The big problem here is that most of those 2 billion devices will never be patched. This bug goes back to 2006 – yes 13 years ago – AT LEAST that far back. Not all versions of VxWorks are vulnerable to all of the bugs, but every version is vulnerable to at least one of the bugs.
Many of the devices are no longer supported by the vendor and in some cases, the vendor might not even be in business.
If the vendor is in China, where an amazing amount of hardware and software comes from, of course they may have no incentive to patch the holes as most users would have no clue as to whether the device is vulnerable and the Chinese might want to use the vulnerability to compromise affected devices.
The bigger problem is supply chain. You buy, say, a security camera from Cisco. Seems like this might be made in the US. But they buy a processor board for the camera from vendor X and vendor X gets software for the system from vendor Y and other parts for the system from vendor Z. Very quickly you lose track of where things come from. If you think about something like a car, it could have 200 processors in a high end car, possibly each from a different vendor and each with its own supply chain issues.
The problem is not simple to solve.
Source: CSO Online.