Shulou(Shulou.com)05/31 Report--

This article will explain in detail the risks of serious RCE attacks on VxWorks. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Overview

The Armis research team found 11 zero-day vulnerabilities in VxWorks, and VxWorks is probably the most widely used operating system. VxWorks is used by more than 2 billion devices, including key industrial, medical and corporate equipment.

A vulnerability known as "URGENT/11" exists in VxWorks's TCP / IP stack (IPnet) and affects all versions since version 6.5. However, it will not affect the security certified product versions-VxWorks 653 and VxWorks Cert Edition.

Six of these vulnerabilities are classified as critical vulnerabilities and can execute code remotely (RCE). The other vulnerabilities are denial of service, information disclosure and logic defects. An attack on URGENT/11 can have a serious impact because it allows an attacker to take over user devices and even bypass security devices such as firewalls and NAT. As a result, an attacker can spread malware within the network. This powerful attack is similar to the EternalBlue vulnerability and can be used to spread WannaCry malware.

It is recommended that manufacturers running VxWorks devices check for the latest updates in the Wind River Security Alert released by the company's Security Center and patch them immediately. Complete technical details on URGENT/11 vulnerabilities can be found in the URGENT/11 technology white paper.

VxWorks: real-time operating system

VxWorks is the most widely used real-time operating system (RTOS) in the world. RTOS is used by equipment that requires high precision and reliability, such as critical infrastructure, network equipment, medical equipment, industrial systems and even spacecraft. As a result, VxWorks has a wide range of uses, from PLC to MRI machines, to firewalls and printers, to airplanes, trains and so on. VxWorks devices also include Siemens, ABB,Emerson Electric, Rockwell, Mitsubishi Electronics, Samsung, Ricoh, Xerox, NEC and Arris.

VxWorks, which was first released in 1987, is one of the most mature operating systems still in widespread use. It maintains a large number of versions because of the nature of the devices it runs and the difficulty of upgrading. Although it is a traditional RTOS, only a few vulnerabilities have been discovered, none as serious as URGENT/11. Research shows that the internal working mode of VxWorks is still in an unclear state, and so are its defects, which leads to serious URGENT/11 vulnerabilities. Second, RTOS is used by many key devices, making the vulnerabilities found in it more influential.

URGENT/11 influence

URGENT/11 poses a significant risk to devices that currently use all VxWorks connections. There are three attack scenarios, depending on the location of the network device and the location of the attacker. Attackers can use URGENT/11 to control devices located around or inside the network. Even remotely logged-in devices can be attacked and taken over. Or attackers who have infiltrated the network can use URGENT/11 to locate specific devices, or they can take over all affected VxWorks devices in the network at the same time through broadcasting.

In all cases, the attacker can remotely take full control of the target device without user interaction, the only difference is how the attacker reaches the target device.

Scenario 1 Murray-attacking network defense devices

The first attack scenario is to attack VxWorks devices at the network boundary, such as firewalls, which can attack directly from the Internet. Using the URGENT / 11 vulnerability, an attacker can attack these devices directly, take full control of them, and then penetrate into the internal network.

According to Shodan search, more than 800000 of SonicWall firewalls are connected to the Internet, indicating that these devices are protecting a similar number of internal networks. Using URGENT / 11 and Internet connections, attackers can use specially crafted TCP packets to launch direct attacks and immediately take control of all firewalls, resulting in botnets of almost immeasurable size and damage to their internal networks.

Scenario 2-bypassing security from external network attacks

The second attack scenario affects any VxWorks device with an external network connection, which can be taken over by an attacker, making it difficult to defend against any firewall or NAT implemented on the periphery of the network.

Example of attack: attack IoT devices connected to the cloud within a secure network, such as Xerox printers. The printer is not directly exposed to Internet because it is protected by firewalls and NAT. An attacker can intercept the printer's TCP connection to the cloud, trigger the URGENT / 11 RCE vulnerability on the printer, and eventually take full control of it. Once an attacker takes over devices in the network, they can spread horizontally and take control of other VxWorks devices, as described in the following attack scenario.

Scenario 3-attack from within the network

In this case, the attacker has control of the VxWorks device within the target network. When attacking other VxWorks devices on the network, the attacker does not need any information about the target device, because URGENT / 11 allows malicious packets to be broadcast throughout the network, and the attacker can attack all vulnerable devices through broadcast packets.

Example of attack: a patient monitor in a hospital. It is not connected to the Internet, but by infiltrating the network, an attacker can take over it. Another example is the programmable logic controller (PLC). Because plc runs on the affected VxWorks, attackers using the URGENT / 11 vulnerability can broadcast attacks across the network and effectively control the entire factory without any prior information gathering.

Technical details

URGENT / 11 is a set of 11 vulnerabilities that affect VxWorks's TCP / IP stack (IPnet). Six of these vulnerabilities are classified as critical vulnerabilities and can execute code remotely (RCE). The rest of the vulnerabilities are classified as denial of service, information disclosure or logic defects. Because each vulnerability affects different parts of the network stack, it affects a different set of VxWorks versions.

URGENT / 11 is by far the most serious vulnerability found in VxWorks, with only 13 CVE in its 32-year history. URGENT / 11 is a unique set of vulnerabilities that allow attackers to bypass NAT and firewalls and remotely control the device through an undetected TCP / IP stack without user interaction.

As mentioned earlier, URGENT / 11 consists of 11 vulnerabilities, divided into two categories:

Six key vulnerabilities that allow remote code execution

Stack overflow when parsing the IPv4 option (CVE-2019-12256)

This vulnerability can be triggered by IP packets sent to the target device, as well as broadcast or multicast packets. The vulnerability causes a stack overflow when processing the IP option in the IPv4 header, allowing RCE. It does not need to run any specific applications or configurations on the device.

Four memory corruption vulnerabilities caused by incorrect handling of the emergency pointer field of TCP (CVE-2019-12255, CVEMAY 2019-12260, CVELY 2019-12261, CVEML 2019-12263)

The following vulnerabilities are due to the improper handling of the emergency pointer field of TCP, which is rarely seen in today's applications. An attacker can trigger error handling of this field by connecting directly to an open TCP port on the target device or by hijacking the target device's TCP connection. Once triggered, these vulnerabilities will cause applications on the target device to receive more bytes from the system's recv () function than expected, resulting in memory corruption.

Because the emergency pointer field is a built-in function of TCP, routers, NAT and even firewalls transmit it completely. Even if data passes through multiple routers, NAT and firewall devices can still be hijacked by attackers and used to trigger vulnerabilities.

Four variants that affect different versions of VxWorks:

1. The TCP emergency pointer'= 0 'causes an integer underflow (CVE-2019-12255), affecting VxWorks versions 6.5 to 6.9.3.

2. Due to the incorrect format of the TCP AO option (CVE-2019-12260), the TCP emergency pointer status is confused, which affects VxWorks version 6.9.4 and later.

3. TCP emergency pointer state confusion caused by competition conditions (CVE-2019-12263), affecting VxWorks version 6.6 and later.

4. The TCP emergency pointer status is confused when connecting to the remote host (CVE-2019-12261), which affects VxWorks version 6.7 and later.

Heap overflow in DHCP Offer / ACK parsing (CVE-2019-12257)

This vulnerability is a heap overflow vulnerability triggered by a vulnerable device when parsing specific DHCP response packets. When it attempts to obtain IP addresses from the DHCP server, these packets are parsed by ipdhcpc, VxWorks's built-in DHCP client. An attacker on the same subnet as the target device can wait for it to send a DHCP request and respond quickly with a tailor-made DHCP response. In this case, the target device waiting for a response from the original DHCP server from the network can easily be deceived by the attacker and parse a specially crafted DHCP response message, resulting in remote code execution. This vulnerability affects VxWorks versions from 6.5 to 6.9.3.

Five vulnerabilities that lead to denial of service, information disclosure, or certain logic flaws

TCP connection DoS with malformed TCP option (CVE-2019-12258)

This vulnerability affects VxWorks version 6.5 and later and allows for a denial of service attack on any TCP connection to the affected VxWorks device. This vulnerability can be triggered by sending a specially crafted TCP packet containing some TCP options using the quad of an existing connection, but the sequence number of the connection is not known, causing the TCP connection to be broken.

Handling unsolicited reverse ARP replies (logic flaws) (CVE-2019-12262)

This vulnerability is a logic error that affects VxWorks version 6.5 and later and allows attackers on the same subnet to add multiple IPv4 addresses to the target device through unsolicited RARP reply packets. This destroys the routing table of the target device and may cause the application it uses to be denied service. Triggering this vulnerability multiple times can also cause memory exhaustion, resulting in other execution failures on the target device.

Logic defect of ipdhcpc DHCP client assigning IPv4 (CVE-2019-12264)

This vulnerability is a logic error in VxWorks's built-in DHCP client (if included) (ipdhcpc), which affects VxWorks 6.5 and later. The vulnerable device will accept any IPv4 address assigned to it by DH.

DoS in IGMP parsing (CVE-2019-12259)

This vulnerability is a denial of service vulnerability that affects VxWorks 6.5 and later and may cause a crash when the target is to parse unauthenticated packets sent by an attacker on the local subnet.

IGMP Information leakage (CVE-2019-12265)

This vulnerability is an information disclosure that affects VxWorks version 6.9.3 and later. This can be achieved through the above DHCP client vulnerability (CVE-2019-12264). To trigger this vulnerability, an attacker can send a segmented IGMPv3 membership query report to the target device, leaking information about the target packet heap and causing the IGMPv3 membership report to be sent back to the attacker.

Affected area

The URGENT / 11 vulnerability affects all VxWorks versions since version 6.5, excluding certified product versions such as VxWorks 653 and VxWorks Cert Edition.

A partial list of affected devices includes:

SCADA devices

Industrial controllers

Patient monitors

MRI machines

Firewalls

VOIP phones

Printers

In addition to the above devices, there are a large number of public lists to identify which manufacturers use VxWorks:

Wind River Customer Page

Wikipedia VxWorks Page

SlideShare

Online Presentations

Medical and industrial sectors may be at risk

Because VxWorks is often used by the industrial and medical industries, they are at extremely serious risk. Damaged industrial controllers can lead to factory closures, while damaged monitors can be life-threatening.

Solution VxWorks update

Organizations and equipment manufacturers that use VxWorks equipment should repair the affected equipment immediately. Updates and patches can be found in the Wind River Security Alert released by the company's security center.

Firewall Settin

1. Detect any use of emergency pointers. In rare cases, the use of emergency pointers by legitimate applications can cause some false positives.

2. Detect packets containing SYN,URG and FIN flags. This combination will never appear in legitimate TCP traffic.

3. Detect any IP packets that contain LSRR or SSRR options.

This is the end of this article on "what is the risk of serious RCE attacks on VxWorks?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.