'Urgent 11' vulnerabilities in VxWorks operating systems

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

10:30am, 9 August 2019

TLP Rating: Clear

'Urgent 11' vulnerabilities in VxWorks operating systems

CERT NZ is aware of critical vulnerabilities in VxWorks operating systems. Reports have stated that over 200 million devices could be affected. VxWorks operating systems are used by various manufacturers in a wide-range of devices including industrial, medical, personal, and enterprise devices.

Wind River, the maintainer of VxWorks has released an updated version, 7 SR620, to fix these vulnerabilities.

What's happening

Systems affected

Six of the vulnerabilities are classified as critical and susceptible to Remote Code Execution (RCE), and are wormable. The family of vulnerabilities, named 'Urgent 11' impact VxWorks versions 6.5 – 6.9, and VxWorks 7 SR540 and SR610. 

Wind River have reported that the following versions are affected:

  • VxWorks 7 SR540 and VxWorks 7 SR610
  • VxWorks 6.9.4.11 and earlier releases
  • Older, end-of-life versions of VxWorks, including VxWorks 6.5 and later
  • All versions of the discontinued product Wind River Advanced Networking Technologies
  • VxWorks 653 3.x Multi-core Edition may be affected

Devices running the following versions are not affected:

  • The latest release of VxWorks, VxWorks 7 SR620
  •  VxWorks 5.3 through VxWorks 6.4 inclusive
  • VxWorks Cert versions
  •  VxWorks 653 versions 2.x and earlier
  •  VxWorks 653 MCE 3.x Cert Edition and later

These vulnerable implementations are found in a significant range of products listed on the Armis website, including, but not limited to: 

This list is likely to change as more organisations understand the impact of the vulnerabilities on their products. We recommend regularly checking the Armis website for updates to this list.

Armis website - ‘Urgent 11' updates on affected products External Link

Wind River website - list of affected products  External Link

What this means

Armis reports that these RCE vulnerabilities are serious as they are wormable. They allow attackers to take over devices without user interaction and bypass perimeter security devices like firewalls and NAT solutions. 

As these products are widely-used, attackers may be able to create a large scale botnet, or gain footholds within networks. Armis reports that the remaining five vulnerabilities are classified as denial-of-service, information leaks or logic flaws.

What to look for

How to tell if you're at risk

You are at risk if you are running products that use VxWorks versions:

  • VxWorks 7 SR540 and VxWorks 7 SR610
  • VxWorks 6.9.4.11 and earlier releases
  • Older, end-of-life versions of VxWorks, including VxWorks 6.5 and later
  • All versions of the discontinued product Wind River Advanced Networking Technologies
  • VxWorks 653 3.x Multi-core Edition
  • Products that incorporate VxWorks, as detailed in the ‘Systems Affected’ section of this advisory, above.

Armis has sample SNORT rules that you can use to detect attempted exploitation of some of these vulnerabilities.

Armis ‘Urgent 11’ External Link

What to do

Prevention

If you’re using any of the products listed on the Armis blog, or linked sites, CERT NZ recommends contacting the manufacturer to find out if they're affected by the VxWorks vulnerabilities. If the product is vulnerable, it’s critical to update.

If software updates are not available for your device, you may need to consider a replacement, or an alternative mitigation strategy. For instance, in some cases, it may be possible to place a firewall between at-risk devices and untrusted networks, which could be used to filter out malicious traffic.

More information

Armis Urgent 11 External Link

Wind River ‘Urgent 11’ security announcement  External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384