The Armis research team recently revealed 11 vulnerabilities, ranging from denial of service to remote code execution, affecting the VxWorks operating system. VxWorks is a real time operating system used in millions of embedded devices, from consumer electronics to medical devices. The vulnerabilities discovered bypass most forms of security and can even be used on the devices designed to secure the infrastructure if they utilize VxWorks.
The most critical vulnerabilities found allow for remote code execution on the target devices. Five of the critical vulnerabilities found require no interaction on the target system and are exploitable no matter how the device is configured. The sixth vulnerability requires the VxWorks internal DHCP client to parse a specially crafted response from an IP address allocation request. While this may seem like a difficult attack scenario, DHCP requires no authentication during these requests. This means an attacker can just wait, listening on the network until a request is made, and then spoof a malicious response before the real server. These vulnerabilities could allow for full takeover of a target network that used VxWorks based firewalls, making them especially dangerous.
Besides the critical vulnerabilities, there were also five lower impact, but still impactful, vulnerabilities found. One of the vulnerabilities allows for a complete denial of service which can be triggered by an attacker outside of the network. The other denial of service vulnerabilities discovered require the attacker to be in network proximity of the vulnerable device but can still prevent the vulnerable device from functioning if triggered.
Armis describes three attack scenarios in their release document. The first scenario is based on the attacker being outside of the target network. VxWorks is used in a number of firewall devices and are immediately able to be exploited because they handle all network traffic. The second attack scenario is similar to the first in that the attack is outside of the network but are able to attack devices inside the network that can be reached from the outside. The third attack scenario is by an attacker positioned inside the network, such as on wifi or a guest network.
VxWorks is sold and supported by Wind River, who was notified about the vulnerabilities. Wind River posted a security advisory covering the vulnerabilities and updates for affected customers. It is critical that affected devices are patched as soon as updates for them are available to prevent exploitation of these flaws.