Critical Vulnerabilities Affect 2 Billion VxWorks Devices

Armin’s security researchers discovered 11 vulnerabilities in the real-time operating system of VxWorks, which is widely used in close to 2 billion IoT devices, control systems and medical devices.

Six vulnerabilities are rated critical and have been collectively called “Urgent/11.” A hacker could remotely exploit them with no need for user interaction. If successful, a hacker could take complete control of a vulnerable device.

It was more than 30 years ago when VxWorks was created for use in an ultra-reliable operating system able to process data fast. Now, VxWorks is considered the most widely used real-time operating system. It has been utilized in MRI machines, patient monitors, elevator control systems, data acquisition systems, industrial controllers, firewalls, modems, routers, printers and VOIP phones.

The Armin researchers informed Wind River concerning the vulnerabilities. There are available patches now created to handle the vulnerabilities. According to Wind River, all supported versions of VxWorks are currently impacted by at least one vulnerability. The vulnerabilities are found in VxWorks transmission control protocol/Internet protocol (TCP/IP) stack, also called IPnet.

The following are the discovered vulnerabilities:

  • CVE-2019-12256 – Stack-based buffer overflow with CVSS v3 score of 9.8
  • CVE-2019-12257 – Heap-based buffer overflow with CVSS v3 score of 8.8
  • CVE-2019-12255 – Integer Underflow with CVSS v3 acore of 9.8
  • CVE-2019-12258 – Argument injection or modification with CVSS v3 score of 7.5
  • CVE-2019-12259 – Null pointer dereference with CVSS v3 score of 6.3
  • CVE-2019-12260 – Poor restriction of operations in memory buffer with CVSS v3 score of 9.8
  • CVE-2019-12261 – Poor restriction of operations in memory buffer with CVSS v3 score of 8.8
  • CVE-2019-12263 – Concurrent execution utilizing shared resource with poor synchronization with CVSS v3 score of 8.1
  • CVE-2019-12262 – Argument injection or modification with CVSS v3 score of 7.1
  • CVE-2019-12264 – Argument injection or modification with CVSS v3 score of 7.1
  • CVE-2019-12265 – Argument injection or modification with CVSS v3 score of 5.4

VxWorks versions that are at or nearing end of life (Versions 6.5 and older) and Advanced Networking Technology (ANT) which has been discontinued are affected by a number of the vulnerabilities. Wind River additionally reported that the vulnerability CVE-2019-12256 impacts the WvWorks bootrom network stack, which harnesses the same IPnet source like VxWorks.

The vulnerabilities did not affect the following VxWorks products:

  • VxWorks 5.3 to VxWorks 6.4 inclusive
  • VxWorks Cert versions
  • VxWorks 653 Versions 2.x and prior versions
  • VxWorks 653 MCE 3.x Cert Edition and later editions.

To obtain patches for the affected VxWorks versions, send an email to Wind River- SIRT@windriver.com – and indicate the product version that needs a patch. Xerox and Rockwell Automation have issued security advisories concerning the vulnerabilities as well.

Affected people were encouraged to use the patches immediately. To date, Wind River has not received any report that the vulnerabilities were exploited.