New batch of zero-day vulnerabilities found in popular IoT operating system

Internet of things technologies have become a core part of many organizations' IT infrastructure, but cybersecurity issues continue to be a major implementation barrier across industry lines. A study conducted by the Ponemon Institute found that companies spend an average of $18.7 million on information security each year, yet many IT administrators are unclear about the effectiveness of their cybersecurity solutions. In fact, Ponemon's research found that around 53% of surveyed IT staff were unsure whether their infosec policies and protocols helped to successfully mitigate cyberthreats like malware, phishing and zero-day exploits.

One issue is that companies tend to prioritize system- and network-level security solutions, which are often easier to manage at scale, over device-oriented protections. However, now that IoT equipment has become commonplace, enterprises will need to deploy layered security frameworks that offer maximum visibility and responsive threat detection across their entire IT infrastructure. Of course, keeping pace with emerging cyberthreats will likely continue to be a pain point for organizations of all sizes, as new hacking methods are developed on what feels like a minute-by-minute basis. The best way to protect critical assets and insulate sensitive data from unauthorized access is to aggressively identify vulnerabilities and rollout patches as soon as possible. But what specific threats should companies look out for?

Researchers discover 11 zero-day vulnerabilities in VxWorks
In early July, researchers from the California-based cybersecurity firm Armis publicly disclosed their discovery of 11 zero-day vulnerabilities in VxWorks, one of the most popular IoT operating systems for commercial and consumer devices. According to Armis, the OS is currently running on over 2 billion IoT devices around the world, including:

• Supervisory control and data acquisition equipment
• Industrial controllers
• Patient monitors and MRI machines
• VoIP phones
• Wireless printers

Researchers have called this batch of vulnerabilities "URGENT/11" and have already taken steps to contact the maintainer of VxWorks, the software developer Wind River, to offer their support. According to a security alert on Wind River's website, the latest patch version (VxWorks 7) released on July 19 contains comprehensive fixes for all of the vulnerabilities it had discovered. That said, it's important to understand how cybercriminals are able to exploit VxWorks's flaws to build a strong knowledge base for future zero-day vulnerabilities.

Network firewalls are a key safeguard against internet-based attacks, but they're far from perfect.

URGENT/11: Three possible attack scenarios
According to Armis' research team, all 11 vulnerabilities involve VxWorks' "TCP/IP stack (IPnet)" and impact all previous iterations of the OS since version 6.5. What makes the URGENT/11 so dangerous is that they enable cybercriminals to take complete control of IoT devices without any user interaction. They also allow hackers to bypass important perimeter security devices, like firewalls and network address translation solutions, and spread harmful malware throughout an organization's broader network. As a result, these zero-day exploits pose a serious risk to all connected devices and applications, not just those directly impacted by the URGENT/11 vulnerabilities.

Here are the three attack scenarios identified by the Armis security team:

1. Attacking a network's defenses: The VxWorks' vulnerabilities allow hackers to target and overcome specific security devices located at a network's perimeter. For example, firewalls serve as a key line of defense against internet-based attacks and support a network's overall integrity, but hackers using the URGENT/11 vulnerabilities would be able to take control over these critical choke points with a direct TCP packet attack. Once they've infiltrated the network, malicious actors could assemble a massive botnet by infecting all connected IoT devices with a strain of malware similar to WannaCry or Mirai.

2. Attacking from outside the network bypassing security: Another potential attack vector is for hackers to target specific IoT devices, bypassing firewalls and NAT solutions altogether. This strategy allows unauthorized users to fly below the radar, as their activity would be viewed as "benign network communications" by most automated systems and IT administrators. For example, a wireless printer connected to an organization's cloud does not directly interface with the open internet, but hackers would be able to leverage the URGENT/11 vulnerabilities to intercept the device's TCP connection. This man-in-the-middle type attack could provide cybercriminals with complete access and control over other parallel VxWorks devices.

3. Attacking from within the network: The final scenario involves attackers who have already infiltrated an organizations' network, most likely through one of the URGENT/11 vulnerabilities. Once they have full reign of an internal network, hackers can send specialized packets to select VxWorks devices without needing any prior information about their location or functionality. They would also be able to breach any other vulnerable device connected to the network by broadcasting "malicious packets" broadly, rather than targeting specific devices. Using this method, hackers could quickly take control over an entire system or hold critical assets hostage using ransomware.

These types of zero-day exploits demonstrate the importance of comprehensive cybersecurity policies that prioritize vulnerability identification and resolution. Perle offers industrial-grade connectivity tools that can help companies protect their mission critical servers and maintain their network security. Read some of our customer stories to find out more.