When talking about bugs affecting operating systems, you often hear about Windows and Android, sometimes iOS, and, from time to time, even Linux. Rarely to RTOS, short for Real-Time Operating Systems, get any coverage. One RTOS, however, is used in so many critical computer systems in critical industries that big security bugs could prove to be catastrophic. That is apparently what faces users of equipment that run on VxWorks that has been reported to have no less than 11 zero-day vulnerabilities that have been around for the last 13 years.
They might not get that much media attention but RTOS are the silent workers of the world’s electronic equipment. They are the software the drive everything from modems to elevators to MRI machines. VxWorks’ list of customers, specifically, are quite the who’s who of the industry, including Xerox, NEC, Samsung, Ricoh, and more. That only makes these 11 bugs all the more critical.
IoT security research outfit Armis calls these vulnerabilities collectively as the URGENT/11 to emphasize how important it is for owners to update their machines as soon as possible. These are no small-time bugs either. Six of these are marked as critical because they enable remote code execution. The other five are no less lethal though, as they can grant access to attackers without user interaction. They can even, ironically, bypass security devices such as firewalls and NATs that VxWorks itself develops.
Despite the seemingly comical name, Armis is raising alarms all over because of the significant risk to devices. Researchers present three scenarios where attackers can come from either inside or outside the network. One even involves attacking the network’s security itself. Armis says that industrial and healthcare sectors are the ones to be at risk the most because of their extensive use of devices that run VxWorks.
The slightly good news is that VxWorks creators Wind River has already patched up the holes in the latest VxWorks 7 released on July 19. The bad news is that devices that use the RTOS can’t just simply apply the software update like you would on a phone.