Blog / URGENT!! 11 Vulnerabilities!! – Check All Your Devices for New Updates!
There’s an operating system that is used by billions of devices around the world, and you have probably never heard of it.
It’s called VxWorks, and I mentioned that you have probably never heard of it. So why am I talking about VxWorks, and more importantly, why on earth should you care?
For starters, you will find VxWorks in all kinds of things such as:
- Some Xerox and Ricoh printers
- Some Sonicwall Firewall models (and other Firewalls)
- SCADA equipment (like Rockwell)
- VOIP phones
- Medical equipment
- Hyundai’s
- BMW’s
- The upcoming 2020 Mars Rover… and I haven’t even got started yet…
The number of devices running this OS (Operating System) around the world is estimated at around 2 Billion! That’s a 2 followed by 9 zero’s, or 2,000,000,000.
You likely never heard of VxWorks, because it’s a Real Time Operating System (RTOS.) Windows, Android, IOS, Unix, and MAC OS are not RTOS’s. When you perform an action in any other of those OS’s, what happens in the background is that the request is passed off to the OS, prioritized and queued. The action doesn’t happen right away; it has to wait for the OS not to be busy.
This is fine for some things like saving a file or clicking a mouse, but what about hitting your brakes or deploying an airbag? There are certain things that when they occur, something will need to happen immediately. When systems like that are controlled by a computer, you need an RTOS to handle things, or the reaction may not happen fast enough. That’s where VxWorks comes in.
Now then, there are a couple of reasons why the group of vulnerabilities are called “Urgent/11”:
1) There are 11 total vulnerabilities.
2) As a group, they impact every version of VxWorks released over the past decade (most versions are impacted by at least 6 of them.)
Six out of the 11 are really important, because they allow for a complete take-over of the device, with zero user interaction. Also, the root problem lies in the logic on how the devices look at the traffic they receive. In short, sending a specially-crafted packet could allow for unlimited device access, execution of program you like (remote code execution), or a reboot (denial of service.) Imagine your brakes applying at random, or worse, not applying at all, due to an Urgent/11 virus.
Yes, they’re bad. It’s hard to get an exact list for which devices or manufacturers use VxWorks. In general I don’t recommend making any device directly-accessible from the Internet, unless it’s absolutely required, due to the nature of the service (email, website, etc.) If it’s nothing like that, I recommend proper network segregation and requiring a VPN login, to access the resource.
As for what to do about the Urgent/11, I would recommend checking into any industrial control equipment you may have in your organization (water treatment plant equipment, HVACs, etc.) and see if the company has recently released a patch. Also, any printers in your possession may have firmware updates available. Make sure to monitor those and apply them (if the printer has an automatic update feature, make sure it’s enabled and working.) If they haven’t and you have concerns, maybe contact them and find out if they are using VxWorks on their devices or not.
If you have any questions about the Urgent/11, you can always reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyberman.