On 29 July 2019, security analysts from Armis, Inc. publicly disclosed 11 newly discovered vulnerabilities affecting the Wind River VxWorks Real-Time Operating System (RTOS) and identified these vulnerabilities as the “URGENT/11.”  Providing services to some of the largest companies in the world, VxWorks is the “number one commercially deployed embedded RTOS” and is used in over 2 billion devices.[1] 

Since VxWorks creation in 1986, MITRE only lists 13 vulnerabilities affecting VxWorks, which has almost doubled after this most recent disclosure.  Within this list of vulnerabilities are six remote code execution (RCE) vulnerabilities and five DoS, logical error, and information leak vulnerabilities.  These attacks are increasingly concerning because they not only target the devices on the network, but also the security appliances protecting other non-VxWorks devices.  Included in the list of vulnerable devices are medical systems such as MRI, radiotherapy equipment, laboratory equipment, etc. which, even when secured behind firewalls, can be remotely controlled or shut down.

The following vulnerabilities were disclosed as part of the “URGENT/11”:

  • CVE-2019-12255
  • CVE-2019-12256
  • CVE-2019-12257
  • CVE-2019-12258
  • CVE-2019-12259
  • CVE-2019-12260
  • CVE-2019-12261
  • CVE-2019-12262
  • CVE-2019-12263
  • CVE-2019-12264
  • CVE-2019-12265

Link to full report: IR-19-217-001 VxWorks Urgent11.pdf

[1] https://www.windriver.com/products/product-overviews/VxWorks-Product-Overview-Update.pdf