A researcher has uncovered security vulnerabilities affecting the VxWorks operating system used by vendors for a wide range of products.
Two critical security bugs have been uncovered in the VxWorks
operating system powering products from Apple, Nokia and numerous other
VxWorks is developed by Wind River Systems, now owned by Intel.
Designed for use in embedded systems, VxWorks is a real-time operating
system used to power a wide range of devices, including printers,
fibre-channel switches and other products. A list of affected vendors
that have issued updates can be found in CERT advisories here
According to HD Moore, chief security officer at Rapid7, the
vulnerabilities rest in the VxWorks debug service and the hashing
algorithm used in the standard authentication API for VxWorks. If
exploited, the flaw in the VxWorks
service (WDB Agent) could permit an attacker to potentially hijack
the entire operating system. The service, he explained, was inadvertently
left open to attack by more than 100 different vendors.
"Since VxWorks provides the operating system, but the manufacturers
are responsible for building the final firmware image for their
products, whether a particular product is still vulnerable depends on
how that specific manufacturer responded," Moore told eWEEK. "In the
case of the exposed debug service, Wind River Systems sent an advisory
to their customer base that basically said -don't do that'. CERT
reached out to as many of the identified manufacturers as possible and
relayed my findings. Only a handful of the manufacturers with affected
devices actually replied to CERT with an update."
The story is similar for the hashing vulnerability, he said. An
attacker with a known username and access to a service such as telnet
or FTP that uses the standard authentication API can brute force the
password in a relatively short period of time. Like the Debug
Service flaw the core problem exists in the VxWorks' software. However,
hundreds of downstream vendors are likely to be affected, Moore said.
"All CERT was able to do was call down the list of VxWorks customers
and ask them to verify their products," he said. "Again, only a handful
of vendors replied indicating yes/no to this issue. In this instance,
Wind River Systems provided sample code to their customers for how to
work around this issue. For the bug to be actually fixed for a specific
device, the manufacturer would need to take this code from Wind River
Systems, build a new firmware update, then distribute this update to
their own customers."
According to Moore's findings, the flaw occurs because there are
only 210,000 possible hash outputs for all possible passwords. An
attacker can cycle through the most common ranges of hash outputs of
about 8,000 work-alike passwords to gain access to a VxWorks device.
Using the FTP protocol, this attack would only take about 30 minutes to
try all common password permutations.
Among the advice from CERT is a recommendation that
vendors using VxWorks in their products ditch the default hashing
algorithm in the standard authentication API in favor
of a trusted authentication API.
To address the Debug Service issue, vendors can remove the WDB
target debug agent in their Vxworks-based products by removing the
INCLUDE_WDB & INCLUDE_DEBUG components from their VxWorks Image. In
addition, enterprises worried about the issue can adjust their firewall
rules to restrict access to the debug service over UDP port 17185 to
only trusted sources until affected vendors release a patch.
Moore gave presentations on the issues last week at the Security B-sides and DEFCON 18 conferences in Las Vegas.
A spokesperson for Wind River said the company respond and
"distributed patches and remediation steps" in conjunction with
the CERT announcement.
"Once CERT notified Wind River, Wind River immediately assessed the
alert and was restricted to release a synchronous public response," the
spokesperson said in a statement. "Wind River's VxWorks continues
to be the most widely deployed real-time operating system in
mission-critical embedded systems."