Urgent / 11
By Edgar Namoca on February 5, 2021
(By: Edgar Namoca on February 2, 2021)
Executive Summary
Urgent/11 comprises eleven Zero-day flaws in the VxWorks real-time operating system (ROTS) [1]. VxWorks is a real-time operating system created and maintained by Wind River. The VxWorks real-time operating system is used in supervisory control and data acquisition (SCADA) systems such as patient monitors, MRI machines, firewalls, routers, and industrial controllers being, Programmable Logic Controllers, Remote Terminal Unit, etc. [2]. The Armis research team found these 11 vulnerabilities naming it the Urgent / 11 [3]. Research shows that these vulnerabilities can affect other real-time operating systems that also use the IPnet, a third-party add-on for RTOS.
Technical Details
IPnet is a third-party software that allows for scalable virtual routing of a network. The IPnet is software used in real-time operating systems allowing for the creation of virtual networking environments. The vulnerabilities reside in the VxWorks TCP/IP stack provided by IPnet [4]. With carefully crafted TCP packets, attackers can use Urgent / 11 vulnerabilities to gain remote code execution capabilities without any user interaction [3]. Urgent/11 is the most severe vulnerabilities found in VxWorks at this moment. Six vulnerabilities within the Urgent/11 can be exploited to receive remote code execution [4]. The other five vulnerabilities can be exploited to cause a denial of service (DoS), which can also be dangerous in the many mission-critical environments where this operating system is used [4]. Within an industrial setting, an adversary can use Urgent / 11 to create a specially crafted TCP packet, allowing them to take over a switch running a compromised version of VxWorks. An adversary can scan the network for information and find other devices running compromised versions of VxWorks RTOS. These devices could be programable logic controllers PLC, patient monitoring devices, and additional firewalls and routers.
List of Vulnerabilities
Stack overflow in the parsing of IPv4 options, leading to RCE:
CVE-2019-12256
Memory corruption from erroneous handling of the TCP Urgent Pointer field, leading to RCE:
CVE-2019-12255
CVE-2019-12260
CVE-2019-12261
CVE-2019-12263
Heap overflow in DHCP Offer/ACK parsing in ipdhcpc:
CVE-2019-12257
Vulnerabilities leading to a denial of service, information leak, or logical flaws:
CVE-2019-12258
CVE-2019-12259
CVE-2019-12262
CVE-2019-12264
CVE-2019-12265
Importance
The current scare for Urgent/11 is the wide use of VxWorks across many mission-critical operations. The ability to have RCE without user intervention makes this set of vulnerabilities as dangerous as EternalBlue. This vulnerability solely exists because of its use of the IPnet stack. Other RTOS using the IPnet stack is also vulnerable to these exploits and makes the problem more widespread than we first addressed. As we move into the future, companies should look at switching out legacy products such as IPnet to avoid these vulnerabilities. The current pandemic that we are facing today has made our health care systems ideal for adversaries who want to make a quick buck. Using shodan, we can still find an abundance of devices running compromised versions of VxWorks RTOS. A statement put out by Armis researchers said that 97% of vulnerable devices that have been identified have not been patched within the last 18 months [5]. This abundance of devices shows the lack of awareness of this vulnerability to both the consumers and adversaries. With how long this known vulnerability has existed, it is expected that all these devices should be patched however, we know this is not the case. This shows that it is only a matter of time until adversaries start using this a means of entry to conduct other malicious actions.
Sources
[1] https://www.securityweek.com/critical-industries-risk-eleven-zero-day-flaws-real-time-operating-system
[2] https://www.bleepingcomputer.com/news/security/urgent-11-vxworks-rtos-vulnerabilities-found-critical-systems-affected/
[3] https://www.fda.gov/medical-devices/safety-communications/urgent11-cybersecurity-vulnerabilities-widely-used-third-party-software-component-may-introduce
[4] https://www.armis.com/urgent11/
[5] https://www.armis.com/resources/iot-security-blog/unpatched-unprepared-unprotected-how-critical-device-vulnerabilities-remain-unaddressed/