Eleven zero-day vulnerabilities in VxWorks expose more than two million devices worldwide

Security researchers warn that six of the 'URGENT/11' vulnerabilities are critical and could facilitate remote access attacks on embedded devices

Security researchers claim to have uncovered 11 zero-day vulnerabilities in the VxWorks real-time operating system, exposing more than two million devices.

VxWorks is used to run a variety of 'continuously functioning devices', such as medical equipment, firewalls, elevator controllers, and satellite modems. The operating system is also a popular choice for powering their Internet of Things (IoT) devices and industrial control products. Most of Huawei's commercial networking equipment runs on VxWorks, for example.

But researchers at security firm Armis claim to have discovered a cluster of 11 vulnerabilities, collectively named URGENT/11, in VxWorks' networking protocols TCP/IP stack. Six of the 11 vulnerabilities, are critical and could allow attackers to remotely access vulnerable devices. These flaws could also let a worm to spread a malware to other vulnerable devices.

The bugs affect most versions of the operating system, including version 6.5, released in 2006, although none of them was found to affect the latest version of VxWorks — released last week — or the versions developed for safety certification, including VxWorks Cert Edition and VxWorks 653.

So far, researchers have found no evidence of any exploits or attacks taking advantage of the security flaws, but they warn that the disruption caused by any exploitation of these flaws could be on a scale similar to that caused by the EternalBlue vulnerability.

The vulnerabilities were disclosed to VxWorks developer Wind River in March. The company says that it has already created patches for the bugs and is currently in the process of distributing them.

"Wind River has created and fully tested patches for the security vulnerabilities that were discovered in the TCP/IP stack (IPnet), a component of certain versions of VxWorks. To date, there is no indication that the vulnerabilities have been exploited. Organisations deploying devices with VxWorks are advised to patch impacted devices immediately," WindRiver wrote in an online post.

Armis researchers, however, believe that patching all vulnerable devices may take a much longer time, given the wide variety of disparate, embedded devices in which VxWorks is used.

"Finding a vulnerability in the network layer means it would affect any device that is using this operating system and that has networking capabilities," says Ben Seri, vice president of research at Armis. "It's like the holy grail of vulnerability research finding something in that layer."

Concerns surrounding the security of IoT devices are not new. Last year, Avast researcher Martin Hron claimed that he had discovered a big hole in the security of IoT devices.

Increasing incidents of targeting of IoT devices by the attackers have also forced the UK's Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) to publish new measures to boost the security of the IoT devices.