'Urgent 11' vulnerabilities in VxWorks operating systems

Six of the vulnerabilities are classified as critical and susceptible to Remote Code Execution (RCE), and are wormable. The family of vulnerabilities, named 'Urgent 11' impact VxWorks versions 6.5 – 6.9, and VxWorks 7 SR540 and SR610. 

Wind River have reported that the following versions are affected:

• VxWorks 7 SR540 and VxWorks 7 SR610
• VxWorks 6.9.4.11 and earlier releases
• Older, end-of-life versions of VxWorks, including VxWorks 6.5 and later
• All versions of the discontinued product Wind River Advanced Networking Technologies
• VxWorks 653 3.x Multi-core Edition may be affected

Devices running the following versions are not affected:

• The latest release of VxWorks, VxWorks 7 SR620
•  VxWorks 5.3 through VxWorks 6.4 inclusive
• VxWorks Cert versions
•  VxWorks 653 versions 2.x and earlier
•  VxWorks 653 MCE 3.x Cert Edition and later

These vulnerable implementations are found in a significant range of products listed on the Armis website, including, but not limited to: 

• ABB External Link
• Arris Modems
• Avaya VOIP Media Gateways
• Belden Industrial Devices External Link
• Dräger External Link
• Kyocera Printers
• NetApp External Link
• Ricoh Printers
• Rockwell PLCs External Link  
• Samsung Printers
• Schneider Electric External Link
• Siemens External Link
• Sonicwall Firewalls External Link
• Xerox Printers External Link

This list is likely to change as more organisations understand the impact of the vulnerabilities on their products. We recommend regularly checking the Armis website for updates to this list.

Armis website - ‘Urgent 11' updates on affected products External Link

Wind River website - list of affected products  External Link

Armis reports that these RCE vulnerabilities are serious as they are wormable. They allow attackers to take over devices without user interaction and bypass perimeter security devices like firewalls and NAT solutions. 

As these products are widely-used, attackers may be able to create a large scale botnet, or gain footholds within networks. Armis reports that the remaining five vulnerabilities are classified as denial-of-service, information leaks or logic flaws.

You are at risk if you are running products that use VxWorks versions:

• VxWorks 7 SR540 and VxWorks 7 SR610
• VxWorks 6.9.4.11 and earlier releases
• Older, end-of-life versions of VxWorks, including VxWorks 6.5 and later
• All versions of the discontinued product Wind River Advanced Networking Technologies
• VxWorks 653 3.x Multi-core Edition
• Products that incorporate VxWorks, as detailed in the ‘Systems Affected’ section of this advisory, above.

Armis has sample SNORT rules that you can use to detect attempted exploitation of some of these vulnerabilities.

Armis ‘Urgent 11’ External Link

If you’re using any of the products listed on the Armis blog, or linked sites, CERT NZ recommends contacting the manufacturer to find out if they're affected by the VxWorks vulnerabilities. If the product is vulnerable, it’s critical to update.

If software updates are not available for your device, you may need to consider a replacement, or an alternative mitigation strategy. For instance, in some cases, it may be possible to place a firewall between at-risk devices and untrusted networks, which could be used to filter out malicious traffic.