An anonymous reader quotes a report from Ars Technica: About 200 million Internet-connected devices — some that may be controlling elevators, medical equipment, and other mission-critical systems — are vulnerable to attacks that give attackers complete control, researchers warned on Monday. In all, researchers with security firm Armis identified 11 vulnerabilities in various versions of VxWorks, a slimmed-down operating system that runs on more than 2 billion devices worldwide. Billed collectively as Urgent 11, the vulnerabilities consist of six remote code flaws and five less-severe issues that allow things like information leaks and denial-of-service attacks. None of the vulnerabilities affects the most recent version of VxWorks or any of the certified versions of the OS, including VxWorks 653 or VxWorks Cert Edition.
For the 200 million devices Armis estimated are running a version that’s susceptible to a serious attack, however, the stakes may be high. Because many of the vulnerabilities reside in the networking stack known as IPnet, they can often be exploited by little more than boobytrapped packets sent from outside the Internet. Depending on the vulnerability, exploits may also be able to penetrate firewalls and other types of network defenses. The most dire scenarios are attacks that chain together multiple exploits that trigger the remote takeover of multiple devices. “Such vulnerabilities do not require any adaptations for the various devices using the network stack, making them exceptionally easy to spread,” Armis researchers wrote in a technical overview. “In most operating systems, such fundamental vulnerabilities in the crucial networking stacks have become extinct, after years of scrutiny unravelled and mitigated such flaws.” VxWorks-maker Wind River says the latest release of VxWorks “is not affected by the vulnerability, nor are any of Wind Rivers’ safety-critical products that are designed for safety certification, such as VxWorks 653 and VxWorks Cert Edition used in critical infrastructure.”
Wind River issued patches last month and is in the process of notifying affected customers of the threat.