Critical Zero Days Remotely Compromise the Most Popular Real-Time OS

Presented at Black Hat USA 2019, Aug. 8, 2019, 2:30 p.m. (50 minutes).

VxWorks is the most popular operating system you have never heard about. It is a real-time operating system, used by over 2 billion devices of all kinds - from airplanes to MRI machines, from firewalls to industrial control systems, and even by SpaceX’s Dragon Spacecraft. It is pervasive and trusted. But like many systems we have come to rely on, its security can break given a single vulnerability. Our talk will reveal 11 such zero-day vulnerabilities we’ve discovered in VxWorks.

Even though VxWorks is probably the oldest real-time OS still maintained, only 13 CVEs are listed by MITRE as affecting it in its 32 years of existence, making it an intriguing target for research. Due to its uncharted nature, we were able to find unusually low-level vulnerabilities affecting every VxWorks version released in the last 13 years. The vulnerabilities reside in the TCP/IP stack used by VxWorks, called IPNET, 6 of which are classified critical RCEs, and have a staggering potential. By exploiting them, attackers can bypass traditional security measures and take control over any VxWorks device with a network connection, without any user interaction.

In our talk, we will demo the exploitation of these vulnerabilities on several devices and demonstrate their dangerous aptitude. We will show how they can be used to breach a network safely secured behind a NAT and a firewall through a normal TCP connection between a printer and its Cloud, as well as the life-threatening effect of pwning sensitive devices running VxWorks, such as a hospital bedside patient monitor.


Presenters:

  • Ben Seri - VP Research, Armis Security
    Ben Seri is the VP of Research at Armis, responsible for vulnerability research and reverse engineering. His main interest is exploring the uncharted territories of a variety of wireless protocols to detect unknown anomalies. Prior to Armis, Ben spent almost a decade in the Israeli Defense Forces Intelligence as a researcher and security engineer. In his free time Ben enjoys composing and playing as many instruments as the wireless protocols he's researching.
  • Dor Zusman - Security Researcher, Armis Security
    Dor Zusman is a researcher at Armis, with rich real-world experience in cybersecurity research. Prior to Armis, Dor was a researcher, network security specialist and a developer in the Israeli Defense Forces intelligence. Dor specializes in reverse engineering, vulnerability research and network pentesting of large corporate networks. He is currently reversing IoT devices in search for novel ways to abuse them as bridgeheads into corporate networks. In his free time Dor likes to self-construct his house, to compensate for walls he takes down in cyberspace.

Links:

Similar Presentations: