Eleven vulnerabilities have been found in the Wind River VxWorks real time operating system (RTOS). Six of these security flaws are classed as critical. The vulnerabilities allow complete remote takeover without any user action, and affect critical devices in critical industries.
VxWorks is widely used in mission critical systems. Researchers at IoT security firm Armis have named the vulnerabilities collectively as 'Urgent/11'. Ben Seri, vice president of research at Armis, commented "A wide variety of industries rely on VxWorks to run their mission-critical devices in their daily operations -- from healthcare to manufacturing and even security businesses. This is why Urgent/11 is so important. The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern."
Wind River's website shows that VxWorks users include aerospace (Boeing, NASA JPL, Northrop Grumman, BAE and more), Industrial (Rockwell Automation, OMRON, Mitsubishi Electric, Toshiba and more), motor (Ford, Bosch Motorsport, Clarion, Hyundai MOBIS and more), and medical firms such as Olympus and Varian Medical Systems.
"A compromised industrial controller," reports Armis Labs, "could shut down a factory, and a pwned patient monitor could have a life-threatening effect."
The vulnerabilities exist in the VxWorks IPnet stack, and any connected device that leverages VxWorks' IPnet stack will be affected by at least one of the vulnerabilities. All standard versions of VxWorks released since 2006, when Wind River acquired IPnet through the acquisition of Interpeak, are affected. However, the problem may go beyond VxWorks since some of the vulnerabilities were already present when Wind River acquired the product, and Interpeak licensed its IPnet stack to other real-time operating system vendors.
< ..
Support the originator by clicking the read the rest link below.
