Update: xWorks OS vulnerable to Urgent/11 - could lead to a WannaCry-like situation

VxWorks operating system vulnerable to Urgent/11, claims that these could lead to a WannaCry-like situation if exploited by malicious actors, suggested extent and impact of problem denied by Wind River.

A series of vulnerabilities have been discovered in some implemenations of Real-Time Operating System (RTOS) VxWorks whose systems are used in more than two billion devices including sectors such as health care, transportation, aviation and other industrial operations. Dubbed Urgent/11, these could lead to a WannaCry-like situation if exploited by malicious actors, say researchers.

"Urgent/11 vulnerabilities affects several devices we can find in our daily lives, especially in healthcare. In fact VxWorks is an operating system commonly used in real-time devices like MRI machines and patient monitors. Attacking these kinds of devices can lead to critical impacts like changing the behaviour of those devices and providing wrong information to doctors/patients," Alessandro Di Pinto, security research manager at Nozomi Networks, told SC Media UK.

First reported and analysed by Armis and further probed by Wind River, the vulnerabilities are particularly notable because they allow attackers to take over devices without user interaction.

"Urgent/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions. These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks," said the Armis report, adding: "Such an attack has a severe potential, resembling that of the EternalBlue vulnerability, used to spread the WannaCry malware." 

However in an email to SC Media UK from Wind River, the company said: "The vulnerabilities are not all wormable." It adds: "The devices impacted by the vulnerabilities make up a small subset of our customer base, and primarily include enterprise devices that are internet-facing such as modems, routers, and printers, NOT critical infrastructure…our critical infrastructure customers use versions of the product are not impacted by the vulnerabilities."

In a blog by Arlen Baker, chief security architect at Wind River, it is suggested that responding to the vulnerability has enabled it to increase its security. Baker also commented: "The 200 million number cited by Armis is not confirmed, nor do we believe it to be that high."

"Multiple SCADA devices and industrial controllers are based on VxWorks. A potential situation would be using one or more of the urgent/11 vulnerabilities to take control of the industrial process changing its expected behaviour," said Di Pinto.

Armis promptly released four publicly available threat signatures for URGENT/11. However, Nozomi Networks discovered that the signatures can result in many false positives when used in industrial networks that contain legacy devices. 

"Some of the proposed solutions are useful to network defenders to rapidly detect suspicious packets travelling the network, but on the other hand they are generic, meaning that legitimate traffic can also trigger them in different situations," said Di Pinto.

"For example, using the URG flag in a TCP connection is a prerequisite for some of the reported issues but it can also be present for legitimate connections; using this check alone can lead to FPs."

Wind River says its customers were notified and provided patches and mitigation options in advance of the vulnerabilities being disclosed. According to the Armis report, 15 organisations, from ABB to Xerox, have issued advisories regarding Urgent 11 and their devices. However, this hardly counters the threat prospects, said Di Pinto.

"It will be the responsibility of the different vendors to provide new updated firmware for its devices. Generically speaking, in most of the cases, it is not possible for end-users to update their devices just applying patches, they need to wait for updates from the vendor," he explained.

Nozomi has created effective detection signatures based on multiple indicators, in order to make detections robust and less prone to false positives, said Di Pinto. 

"We are actually deploying both new updates using our OT Threat Feeds service and improving our detection engine in order to dynamically detect exploitation attempts."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews