A set of vulnerabilities has been discovered in VxWorks RTOS making it possible to exploit the operating system on over 800,000 devices connected to the web. The 11 vulnerabilities vary in severity and type, the most interesting of the bunch being a stack overflow in their IPnet TCP/IP stack. With a specially crafted IPv4 packet, it is possible for an attacker to force a stack overflow and reach unauthenticated RCE on the vulnerable devices.

This specific vulnerability affects devices running versions of VxWorks v6.9.4 and newer. The common vulnerabilities and exposures tag assigned to this vulnerability is CVE-2019-12256.

If an attack is successfully executed, the attacker would have a foothold in the target network and be able to traverse further within. To monitor your VxWorks devices for exploitation attempts, you can use network IDS systems such as Suricata or Snort in combination with a set of specially crafted rules. There are such Suricata scripts publicly available on GitHub.

Vendor responses to URGENT/11 have been tracked publicly on a GitHub gist, however many vendors that are known to use VxWorks are not listed within. If you are using known vulnerable devices which are not outward facing, it would be recommended to contact your vendor regarding patching, and deploy IDS monitoring inside your network.

For more information on URGENT/11 you can read a further detailed write up at Armis.

Leave a Reply

Your email address will not be published. Required fields are marked *