Blog IoT

What You Should Do About the URGENT/11 VxWorks Vulnerabilities

Camille Campbell Senior Manager, Product Marketing Published 19 Apr 2021

The industry is currently buzzing with the news that researchers at Armis labs have found 11 zero-day vulnerabilities in the VxWorks operating system.

Although VxWorks may not have the mindshare of operating systems such as Linux, Windows or Android, it powers an estimated 2 billion critical industrial, medical and enterprise devices.  Cited examples include Supervisory Control and Data Acquisition (SCADA), elevator and industrial controllers, patient monitors and MRI machines, as well as firewalls, routers, modems, VoIP phones, and printers. 

Some of the known details about the specific vulnerabilities from the Armis Labs website:

  • The 11 vulnerabilities reside on the VxWorks TCP/IP stack (called IPnet), impacting all versions of VxWorks since v6.5. 
  • VxWorks has been in market since 1987 and due to the difficulties in upgrading many of the critical devices that are based on VxWorks, there are many aging versions of the operating system estimated to be in market.
  • 6 of 11 the vulnerabilities are classified as critical.  The impact is said to be serious as they can enable attackers to take over devices without user interaction; even bypassing perimeter security devices such as firewalls and NAT
  • Due to the vulnerabilities’ low-level position inside the TCP/IP stack, it enables attacks to be viewed as legitimate network activity.
  • There is a concern that the vulnerabilities are “wormable” and they can be used to propagate malware into and within the network. 
  • These vulnerabilities might have an even wider reach than just VxWorks operating systems, as IPnet was used in other operating systems, prior to its acquisition by VxWorks in 2006.
  • The latest release of VxWorks v7 contains fixes for all the 11 discovered vulnerabilities

Armis Labs has published three videos demonstrating different attacks, including a take-over of a Xerox printer and a SonicWall firewall.  However, the most compelling video is the hijacking of a patient monitoring system with the patient data actively manipulated as it is monitoring a live patient.

Determining Your Impact  

It is likely that your network has devices that run VxWorks, particularly if you are in the healthcare, utilities or manufacturing verticals. 

Networking and security providers may also leverage VxWorks in their products, with the level of exposure varying based on the product and/or VxWorks version.  Note that Extreme Networks runs a restricted version of VxWorks within our BOSS (found in our Ethernet Routing Switch portfolio) and our EOS operating systems (found within S and K-Series products and the 7100 Series products).  Details on workarounds and fixes for many of the URGENT/11 vulnerabilities can be found on the Extreme Support Portal.  This site will continue to be updated as more information is gathered.

To assist organizations with figuring out what devices that they have in their network, Armis Labs promotes an agentless device security platform that is able to discover all devices in an enterprise environment that have any of the URGENT/11 vulnerabilities.  Note that Extreme Networks has not yet had an opportunity to test this capability.

Mitigating Your Risk

Security experts are recommending that companies running any devices that are suspected to be vulnerable to take the following actions:

  • Patch impacted devices as quickly as possible
  • Shield all vulnerable devices to the best of your ability
  • Segment devices through network / micro-segmentation
  • Monitor the behavior of all vulnerable devices for indications of compromise

1) Patch impacted devices as quickly as possible

This is critical since none of the devices that run the VxWorks operating system can be protected by traditional security agents.  Therefore, it is recommended that you pull together a patch management program, if you don’t already have one in place, to patch any impacted devices as quickly and as efficiently as possible.

2) Shield all vulnerable devices to the best of your ability.

It is likely that patching a series of highly critical devices will take time – or may no longer even be possible. This is especially in a healthcare setting, where medical devices could require a costly and time-consuming recertification process if they can even be patched at all.  Here is where an IoT security solution, like Extreme’s Defender for IoT, comes into play.  Defender for IoT can help reduce the attack vector for IP based attacks, by providing in-line network access policy enforcement for the vulnerable device. It restricts communication to only authorized hosts, using only authorized protocols/applications based on pre-defined whitelist security policies.  It also segments devices into their own isolated and encrypted network segment so that devices are isolated from the broader corporate network and from other types of devices.

The best argument for a solution, such as Defender for IoT, is shown in this demonstration video which shows how Defender for IoT can be used to assist in isolating and helping protect a patient monitoring system from a similar attack as the one Armis Labs conducted in their video.

3) Segment devices through network / micro-segmentation  

Due to the threat of an attack bypassing perimeter security devices such as firewalls, network segmentation has never been more critical.  Network segmentation is all about containing breaches to where they occurred in order to minimize damage.  Although many security experts tout the values of a highly segmented network, it is estimated by Gartner that only 5% of IoT devices deployed today are segmented.  This is due to the complexity that is required to implement and maintain a highly segmented network using traditional networking technologies.  Breaches, such as the recent NASA attack, serve as a reminder of the damage that can result from a network that is insufficiently segmented.   Again, Extreme can help.  Our Fabric Connect technology enables scalable network segments to be created with ease and with greater inherent security than traditional networking technologies. Learn more in this blog post.  In addition, Defender for IoT also segments groups of IoT devices within IPSec tunnels (over any IP network) or within Fabric Connect secure segments.

4) Monitor the behavior of all vulnerable devices for indications of compromise

Normally, IoT devices of the same category (temperature sensors, industrial automation devices, CCTV surveillance cameras, etc.) exhibit comparable behavior on the network.  Leveraging a security analytics platform, it is possible to learn the expected behavior of IoT endpoints through AI/ML technologies and trigger alerts or act when an endpoint acts in an unusual way.  This can all happen unsupervised without any strain on IT or security groups.

There is no question that IoT is forcing the industry to rethink security, and these recent VxWorks vulnerabilities, are just another example of why.  

To learn more:

Get the latest stories sent straight to your inbox!

Related Enterprise Stories