Vulnerabilities in the VxWorks operating system affect 2 billion devices in companies around the world

A serious cybersecurity problem has just been revealed and could take months, even years, to be solved. A group of network security experts discovered at least eleven zero-day vulnerabilities in the operating system for Integrated Real-Time Systems (RTOS) VxWorks. This is serious considering that this system drives more than 2 billion devices in fields such as defense, industry, medicine, networks and other critical infrastructures.

If exploited, these flaws could allow hackers to dodge any common security software to take full control of vulnerable devices, could even cause disruptions in the operation of these systems just like the exploitation of the vulnerability known as “EternalBlue”.

The following are the six most dangerous zero-days discovered in the RTOS enlisted by network security specialists:  

• Stack overflow in the parsing of IPv4 packets IP options (CVE-2019-12256)
• TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255)
• TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260)
• TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261)
• TCP Urgent Pointer state confusion due to race condition (CVE-2019-12263)
• Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)

In addition to these six severe vulnerabilities, experts discovered five additional flaws that can lead to denial of service, information leaks, and logical errors:

• TCP connection DoS via malformed TCP options (CVE-2019-12258)
• Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)
• Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)
• DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
• IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)

Vulnerabilities affect all versions of the operating system since v6.5; “In other words, any version of VxWorks released over the last thirteen years contains the flaws,” network security experts added. 

Scenarios and methods of exploiting vulnerabilities

Scenario 1: Network security attack

Because VxWorks powers network devices that can be accessed from the public Internet (routers, switches, firewall deployments, etc.), a remote hacker could launch an attack directly against these devices by taking control over them and over the networks to which they are connected.

The scope of the attack is too extensive, so its exploitation could represent massive drops and security failures in multiple services and industrial operations. For example, hackers could disable firewall protection from the company SonicWall, which currently has nearly one million deployments running the VxWorks operating system.

Scenario 2: Out-of-Network Attacks

These vulnerabilities can not only be exploited on devices connected to the public Internet, even IoT equipments directly connected to their cloud application are equally vulnerable.

A potential attack would involve using malware to change DNS or deploying Man-in-The-Middle (MiTM) attacks to intercept the TCP connection of the target device and launch a remote code execution attack.

Scenario 3: Attack from inside the network

According to network security experts, an attacker with network access due to a previous attack could compromise the security of multiple devices simultaneously, not even need to be directly connected to the Internet. This attack vector could lead to data manipulation or extraction, hardware failures and more malicious activities.

Despite the seriousness of this finding, specialists from the International Institute of Cyber Security (IICS) add that these flaws do not affect other VxWorks products or developments primarily focused on software certification.