The discovery of vulnerabilities in industrial hardware and software is a nearly every-day occurrence. As such, Automation World doesn’t tend to report on them individually because users are notified by their suppliers of issue, and affected suppliers typically respond immediately to address the issue.
While the process of notification and remediation is occurring in this instance as well, we feel the discovery by Armis Labs (a supplier of IoT security) of 11 zero-day vulnerabilities in Wind River's VxWorks warrants extra attention due the scope of the issue—as it effects several industrial automation suppliers. If you’re not familiar with VxWorks, it is one of the most widely used real-time operating systems (RTOS) used in industrial automation. According to Armis, VxWorks is used in more than two billion devices across industrial, medical, and enterprise environments in mission-critical systems such as supervisory control and data acquisition (SCADA) systems, elevator and industrial controllers, patient monitors and MRI machines, firewalls, routers, modems, VOIP phones, and printers.
Wind River notes that the 2 billion devices referenced by Armis Labs are related to Wind River's VxWorks customer base, not the total number of devices impacted. "These vulnerabilities actually impacted a small subset of our customer base, and primarily include enterprise devices that are internet-facing, such as modems, routers, and printers, as well as some industrial and medical devices," said Jessica Miller, senior director of corporate communications, Wind River.
To give you an idea of the scope of this issue, Armis issued the following list of companies and/or devices using VxWorks versions potentially impacted by Urgent/11: ABB, Arris Modems, Avaya VOIP Media Gateways, Belden Industrial Devices, Dräger, Kyocera Printers, NetApp, Philips, Ricoh Printers, Rockwell PLCs, Samsung Printers, Schneider Electric, Siemens, Sonicwall, Woodward, and Xerox.
Github is continuously tracking vendor responses to Urgent/11. You can follow their compilation of updates here.
Of the 11 zero-day vulnerabilities (named Urgent/11) discovered in VxWorks by Armis, it considers six of them to be critical. “Urgent/11 includes six remote code execution vulnerabilities that could give an attacker full control over a targeted device via unauthenticated network packets,” Armis stated in a release about the vulnerabilities. “Any connected device leveraging VxWorks that includes the IPnet stack is affected by at least one of the discovered vulnerabilities. They include some devices that are located at the perimeter of organizational networks that are internet-facing, such as modems, routers, and firewalls. Any vulnerability in such a device may enable an attacker to breach networks directly from the internet. Devices protected by perimeter security measures also can be vulnerable once the devices create TCP connections to the internet. These connections can be hijacked and used to trigger the discovered TCP vulnerabilities, allowing attackers to take over the device, access the internal network, and cause disruption on a scale similar to what resulted from the EternalBlue vulnerability,” Armis said in a release.
Because the type of RTOS used in systems is generally not publicly available, it’s a good idea to reach out to your vendor if they are not included on the list above to determine if your devices may be exposed to this vulnerability.
This is already happening to such a degree that some suppliers are posting announcements about their products’ status regarding Urgent/11. Opto 22, for example, posted a notice that its groov EPIC (edge programmable industrial controller), groov Box edge appliance, SNAP PAC System, and SNAP Ethernet I/O products are not affected by the vulnerability. Opto 22 uses different proprietary RTOSs on its legacy products and open source Linux software for groov EPIC.
“Of course, Linux isn't immune to issues like the VxWorks vulnerabilities,” said Benson Hougland, vice president of marketing and product strategy at Opto 22. “But with a massive community of open source developers continuously contributing and reviewing code, these issues are generally discovered and fixed quickly. Wind River's VxWorks is not open source and, as a result, doesn't benefit from that rigorous peer review process. In fact, it's now known that VxWorks has had these vulnerabilities dating back to 2006.”
To learn more about the use of open source software in industrial products, check out Automation World’s podcast on the topic: “Is Open Source Software a Good Choice for SCADA”. Hougland and Terry Orchard of Opto 22 participated in the interview for this podcast.