0x00 Background
Researchers at Armis have discovered 11 zero-day vulnerabilities in VxWorks, the most popular real-time operating system (RTOS), used by over 2 billion devices, including critical mission devices in industrial, medical, and enterprise settings. These vulnerabilities, referred to as ‘URGENT / 11′, exist in IPnet, VxWorks’ TCP/IP stack, affecting versions released over the past 13 years, and represent a rare example of vulnerabilities impacting an operating system. In its 32-year history, MITER has only listed 13 CVEs affecting VxWorks, none of which are as severe as URGENT / 11.
In recent years, vulnerabilities in widely used TCP/IP stack implementations have become extremely rare, especially those that allow remote code execution on target devices. Such vulnerabilities are the holy grail for attackers, as they do not depend on specific applications and only require the attacker to have network access to the target device. When such vulnerabilities are found in TCP implementations, they can even be used to bypass firewalls and NAT solutions, as they hide within seemingly benign TCP traffic.
0x01 Vulnerability List
The 11 discovered vulnerabilities consist of 6 critical vulnerabilities that may lead to remote code execution:
CVE-2019-12256: Stack overflow when parsing IPv4 packet IP options
CVE-2019-12255: Integer underflow caused by TCP urgent pointer being 0
CVE-2019-12260: TCP urgent pointer state confusion caused by malformed TCP AO options
CVE-2019-12261: TCP urgent pointer state confusion when connecting to a remote host
CVE-2019-12263: TCP urgent pointer state confusion caused by a race condition
CVE-2019-12257: Heap overflow caused by DHCP Offer/ACK parsing in ipdhcpc
And 5 vulnerabilities that may lead to denial of service, logical errors, or information leakage:
CVE-2019-12258: DoS attack via malformed TCP options during TCP connection
CVE-2019-12262: Logical vulnerability when handling unsolicited reverse ARP replies
CVE-2019-12264: Logical flaw in ipdhcpc DHCP client assigning IPv4
CVE-2019-12259: Denial of service due to NULL dereference in IGMP parsing
CVE-2019-12265: Information leakage caused by IGMPv3 specific member reports
0x02 Exploitation Scenarios
The first attack scenario affects VxWorks devices residing at the network perimeter, such as firewalls. These devices are directly attacked from the Internet, as their integrity is crucial for the internal network they protect. Using the URGENT / 11 vulnerabilities, an attacker can launch direct attacks on these devices, gaining full control and subsequently controlling the network they protect.
The second attack scenario affects any VxWorks device with external network connectivity. The URGENT / 11 vulnerabilities allow attackers to take over such devices, regardless of any firewalls or NAT solutions implemented at the network perimeter to defend against attacks. The low-level nature of the vulnerabilities makes the attacks remain invisible to security measures, as they will be perceived as benign network communication.
The third attack scenario involves an attacker on the same local area network as the VxWorks devices, who can broadcast malicious packets to simultaneously attack all vulnerable devices.
0x03 Reducing Attack Surface
Mitigating the risks posed by the aforementioned vulnerabilities is not straightforward. Unlike operating systems used in consumer devices like PCs and mobile phones, the underlying operating systems used by most embedded devices do not receive regular updates. To reduce the risk of these vulnerabilities, it is essential first to identify which devices are running VxWorks.
In addition to the difficulty in identifying which devices run VxWorks, device manufacturers also face the challenge of providing firmware upgrades in a reasonable timeframe. Many VxWorks devices, such as medical and industrial equipment, require extensive testing and certification processes before firmware updates can be delivered to end users. How can users protect themselves before such updates are provided?
Fortunately, there are some unique identifiers for the discovered vulnerabilities that firewall and IDS solutions can use to detect and block any attempts to exploit these vulnerabilities.
For example, the four most critical vulnerabilities discovered (CVE-2019-1255, CVE-2019-1260, CVE-2019-1261, CVE-2019-1263) abuse the TCP urgent pointer mechanism using TCP’s urgent flag. This mechanism is rarely used by ordinary users, and creating rules to detect and block any use of it can effectively prevent attacks.
To detect and block attempts to exploit the IP options vulnerability (CVE-2019-12256), any IP packets containing LS RR or SS RR options can be searched for and discarded.
0x04 Affected Versions
The URGENT/11 vulnerabilities affect all VxWorks versions from 6.5 and above.
VxWorks has provided patch updates:
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/
0x05 Timeline
2019-07-29 Armis releases report
2019-07-31 360CERT issues warning
0x06 Reference Links
1. 11 Zero Day Vulnerabilities Impacting VxWorks, the Most Widely Used Real-Time Operating System (RTOS)
[https://armis.com/urgent11/]
2. VxWorks Vulnerability Analysis White Paper
[https://go.armis.com/hubfs/White-papers/Urgent11%20Technical%20White%20Paper.pdf]
3. Attack Demonstration Video 1
[https://www.youtube.com/watch?v=zdVuSnCq4ac&feature=youtu.be]
4. Attack Demonstration Video 2
[https://www.youtube.com/watch?v=GPYVLbq83xQ&feature=youtu.be]
5. Attack Demonstration Video 3
[https://www.youtube.com/watch?v=u1DybHV34L8&feature=youtu.be]
Recommended Reading:
1. Security Guest 2019 Quarterly Second Season: Responding to Cyber Warfare / Building a Big Ecosystem / Building Great Security
2. FastJson Remote Code Execution Vulnerability Analysis Report
3. Fastjson Deserialization Vulnerability Warning
Long press the QR code below to follow 360CERT! Thank you for your attention!
Note: The official website of 360CERT provides the complete warning details for “Urgent Warning: Multiple Critical Vulnerabilities in RTOS VxWorks”, click to read the original text