Armis’ research team, Armis Labs, discovered 11 vulnerabilities in the real-time operating system VxWorks. It is used by more than 2 billion devices, including industrial but also medical equipment or in critical infrastructures. Among the PLC manufacturers using VxWorks, we find Schneider, Emerson, General Electrics or Allen-Bradley. 

These vulnerabilities are called URGENT/11

They reside in the TCP/IP stack (IPnet) of the OS thus affecting all versions since the version 6.5 (released in 2006). They could have an even broader scope because IPnet was used in other operating systems before it was acquired by VxWorks in 2006 but this was not studied by the research team.

Six disclosed vulnerabilities are classified as critical because they could allow remote code execution. Other vulnerabilities can lead to denial of service attacks or information extraction.

Armis disclosed the vulnerabilities to Wind River

Wind River is the company that develops and maintains VxWorks, and worked with them to develop mitigation measures and patches, as well as to inform manufacturers of the affected devices.

URGENT/11 vulnerabilities affect VxWorks versions since version 6.5, but not the versions of the product designed for security certification (VxWorks 653 and VxWorks Cert Edition), which are used by some critical infrastructures such as transportation. 

Given the impact of these vulnerabilities, manufacturers relying on this solution will have to publish advisory describing the impact of URGENT/11 on their products.

Sentryo’s Security Labs team is conducting an in-depth analysis of the vulnerabilities disclosed by Armis Labs and will present its analysis as soon as it is completed.