Series of Zero-Day Vulnerabilities Could Endanger 200 Million Devices

  /     /     /  
Publicated : 23/11/2024   Category : security


Series of Zero-Day Vulnerabilities Could Endanger 200 Million Devices


Vulnerabilities in VxWorks TCP stack could allow an attacker to execute random code, launch a DoS attack, or use the vulnerable system to attack other devices.



A series of vulnerabilities in a real-time operating system (RTOS) could leave up to 200 million devices open to exploit. And those devices include everything from network firewalls to medical devices. The vulnerabilities arent theoretical — the exploits have been demonstrated — and many of the affected devices havent been touched or actively managed in years.
A team of researchers from Armis found 11 critical zero-day vulnerabilities in VxWorks, a popular RTOS that has been in use since the late 1980s. The vulnerabilities, which include 6 remote code execution (RCE) vulnerabilities, and 5 that are denial of service, information leak, or logical flaw vulnerabilities, are present in versions of the operating system that span more than 13 years.
The RCE vulnerabilities, which would allow an attacker to execute any code they choose on a vulnerable system, have an additional quality that makes them critical. Normally, when a network vulnerability is exploited, the attack comes from inside the network, says Ben Seri, vice president of research at Armis. He points out that firewalls and other network edge devices are programmed to recognize and stop network vulnerability exploits that come from outside the network.
In this case, an attacker can
leverage a vulnerability
to attack a device thats behind network address translation (NAT) and behind a firewall, Seri explains, because, The vulnerability is in the TCP header itself. It traverses these devices without being stopped by the firewall.
The issue, he says, is that the
contents
of a packet can be encrypted to be protected from theft or corruption, but
headers
travel in clear-text. If an attacker knows network communication is taking place, they can intercept the traffic and make their changes to the header without needing to know the packets contents.
As has been the case with a number of other vulnerabilities, the problems are made worse by mis-configuration. These are pretty basic memory exploit bugs, but users have to enable existing security features, says Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT). The devices [Armis] were testing werent making use of the secure configuration. From my experience, this isnt rare.
One of the factors complicating the way companies will address the vulnerabilities is that it can be very difficult to know whether a particular IoT device is running VxWorks. A very big concern, when I start thinking about this, is how do we identify whos impacted? How does a business or organization identify, hey, do I have these things in my environment or not have these things in my environment? asks Deral Heiland, research lead for IoT technology at Rapid 7. Most organizations, he says, dont know which operating systems are running under the covers of the firewalls, routers, printers, or process controllers in their organization.
Its often like a plug and ignore thing, Heiland explains. If it happens to be on a printer or cable modem or some kind of communication device, its not core to the business, but a side function of the business operation. And since theyre not core functionality, many organizations wont know whether theyre vulnerable or not.
Seri is quick to point out that there is some
good news with the bad
. While the vulnerabilities exist in every version of VxWorks from v6.5 forward, they are not present either in VxWorks 653 or VxWorks Certified — the versions most often used in the most sensitive and critical devices.
In addition, Young says the the sky is not falling due to these vulnerabilities in VxWorks
TCP stack
routines. This cant be trivially exploited by anyone without skill, he says. When its exploited, it will be on a per-device basis and the attacks will take time.
Even with the difficulty, though, the pool of potential victims is very large. Dave Weinstein, CSO of Claroty, says, The potential for scale is pretty high. And while there has been no evidence of infections in the wild, theres a good chance that hackers have exploited this vulnerability given how long it goes back. 
Weinstein says that hes cautious about pronouncements of doom, and general prefers that difficult to patch vulnerabilities be communicated in private, rather than through public disclosure. But, he admits, Then again, that wont land you on a big stage at BlackHat.
Seri and fellow researcher For Zusman will present their findings in
Critical Zero Days Remotely Compromise the Most Popular Real-Time OS
, on Thursday, August 8, at Black Hat USA.
Related Content:
Kaspersky Helps Eliminate Critical Vulnerabilities in Smart Home Controller
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
DHS Tests Remote Exploit for BlueKeep RDP Vulnerability
Consumer IoT Devices Are Compromising Enterprise Networks
New Intel Vulnerabilities Bring Fresh CPU Attack Dangers
 
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the 
conference
 and 
to register.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Series of Zero-Day Vulnerabilities Could Endanger 200 Million Devices