Armis recently discovered 11 zero-day vulnerabilities — 6 critically-rated — in VxWorks, the leading real-time operating system used in devices across industrial, medical and enterprise environments. Armis believes Urgent11 impacts millions of devices.

If exploited, Urgent11 could allow a complete takeover of the device and cause disruption on a scale similar to what resulted from the EternalBlue vulnerability.

Real-time operating systems are relied upon for their high degree of accuracy and reliability. The breadth of this finding is significant as RTOSes are used in such a broad number of industries and in devices that everyday people trust for safety and reliability.

The traditional definition of zero-days is vulnerabilities for which vendors have not yet released a patch, but IoT is challenging this definition because of its complicated ecosystem. Armis has been collaborating extensively with Wind River, who has made every effort to create and issue patches to all VxWorks users. However, some vulnerabilities will remain zero-days because some of the affected connected devices can not be updated easily, and until all device manufacturers issue firmware upgrades, devices remain vulnerable. 

“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their mission-critical devices in their daily operations—from healthcare to manufacturing and even security businesses. This is why Urgent11 is so important. The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern.”

Urgent11’s Remote Code Execution (RCE) vulnerabilities could give an attacker full control over a targeted device, via unauthenticated network packets. Any connected device leveraging standard VxWorks that includes the IPnet stack is affected by at least one of the discovered vulnerabilities. They include some devices that are located at the perimeter of organizational networks that are internet-facing such as modems, routers and firewalls. Any vulnerability in such a device may enable an attacker to breach networks directly from the internet. Devices protected by perimeter security measures also can be vulnerable once the devices create TCP connections to the internet. These connections can be hijacked and used to trigger the discovered TCP vulnerabilities, allowing attackers to take over the device and access the internal network.

“Urgent11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected,” said Yevgeny Dibrov, CEO and co-founder of Armis.  “The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk.”

VxWorks is pervasive and trusted due to its rigorous and high-achieving safety certifications and its high degree of reliability and real-time accuracy. In its 32-year history, only 13 Common Vulnerabilities and Exposures (CVEs) have been listed by MITRE as affecting VxWorks. Armis discovered unusually low-level vulnerabilities within the IPnet stack affecting these specific VxWorks versions released in the last 13 years, from versions 6.5 and above. These are the most severe vulnerabilities found in VxWorks to date.

The IPnet networking stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of real-time operating system vendors.

Wind River has been working in collaboration with Armis on this matter, and customers were notified and issued patches to address the vulnerabilities last month. To the best of both companies knowledge, there is no indication the Urgent11 vulnerabilities have been exploited.