Researcher reveals remotely exploitable flaw in world’s most widely used real-time OS

A security researcher discovered a serious yet simple flaw in VxWorks, a real-time operating system for the Internet of Things, which an attacker could remotely exploit without needing any interaction with a user. The OS is used in everything from network routers to critical infrastructure, as well in NASA’s Curiosity Rover on Mars and Boeing 787 Dreamliners.

Searching for VxWorks via Shodan reveals about 100,000 internet-connected devices running the OS, but VxWorks supposedly powers “billions of intelligent devices.” The researcher warned that the vulnerability “allows remote code execution on most VxWorks-based devices.”

Yannick Formaggio, a security researcher at Istuary Innovation Labs, presented “Attacking VxWorks: from Stone Age to Interstellar” at 44Con, an information security conference in London. The description of his talk reads, “VxWorks is the world’s most widely used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few.” Formaggio added, “In this age of IoT, the issue will have a widespread impact.”

You may not be familiar with VxWorks, but it has been around for “over 25 years” and has been “deployed in over 1.5 billion devices.” Wind River, the company behind VxWorks, uses its role in helping NASA’s Curiosity Mars Rover “survive the ‘seven minutes of terror’” as a customer success story.

The research began after a request from an Istuary client in the critical infrastructure industry. After creating a fuzzing tool, Istuary researchers discovered “an integer overflow vulnerability;” Forbes added that the flaw allowed Formaggio “to target a specific part of the operating system and write to memory on the machine running VxWorks. From there, it was possible to set up a backdoor account and control functions of the operating system.”

“It’s a very basic vulnerability,” he said. TechWorm added, “An attacker would have to find targets with a certain port (port 111) open, but if they did the exploit code could run without any interaction from the user. The attack could be run silently without the owner or the sysadmin having a clue of the hack.”

Despite Formaggio specifically mentioning Boeing’s 787 Dreamliner running VxWorks, it was merely an example, as was NASA’s rover. VxWorks version 653, which runs in devices such as military Black Hawk helicopters and Boeing’s 787 Dreamliner, is not affected by the flaw. But VxWorks versions 5.5 through 6.9.4.1 are vulnerable. The current version is VxWorks 7. Formaggio believes Wind River may have “issued a patch, though he claims it wouldn’t release a public advisory as it didn’t deem the problems serious enough.”

The Intel-owned Wind River has a long list of customers across numerous industries using its VxWorks OS, ranging from the automotive industry, medical device industry, industrial customers like Siemens, KUKA, and Telco Systems, the networking industry, and the aerospace and defense industry; specific examples from the latter category include Northrop Grumman’s unmanned combat aircraft and Gran Telescopio Canarias, “one of the world’s largest telescopes.”

“Wind River’s VxWorks is widely used in ICS-related devices,” wrote the Cyber Emergency Response Team for Industrial Control Systems (ICE-CERT) when it issued a warning about a vulnerability that an attacker with “medium” skills could pull off. In June, ICS-CERT released the following security advisory for VxWorks versions used by Schneider Electric. “The VxWorks software generates predictable TCP initial sequence numbers that may allow an attacker to predict the TCP initial sequence numbers from previous values, which may allow an attacker to spoof or disrupt TCP connections.”