Wind River VxWorks and URGENT/11: Patch Now
Notice: SonicWall physical firewall appliances running certain versions of SonicOS utilize third-party TCP/IP code for remote management that contain vulnerabilities named URGENT/11. At this time, there is no indication that the discovered vulnerabilities are being exploited in the wild, however:
SonicWall STRONGLY advises to apply the SonicOS patch immediately. Patches are available for all recent SonicOS versions. Detailed instructions are provided in the Security Advisory.
SonicWall provides the patched versions of SonicOS at no charge, including for customers not currently covered by an active support contract. SonicWall also recommends updating to the latest SonicOS release (6.5.4.4), which provides firewall capabilities to help protect other devices vulnerable to URGENT/11.
Wind River VxWorks and URGENT/11 vulnerabilities
Security researchers at Armis have discovered and responsibly disclosed 11 vulnerabilities in the TCP/IP stack of Wind River’s VxWorks real-time operating system, which is utilized by millions of devices around the world, as well as in space, on Mars and in certain versions of SonicOS. The Wind River VxWorks TCP/IP stack, named IPNET, contains vulnerabilities that have been given the name “URGENT/11.” The one material vulnerability type that impacted SonicOS is addressed by the patch releases.
Unmanageable & un-patchable: The Wild West of IoT
Wind River VxWorks is a real-time operating system that is widely used in IoT and embedded applications, such as networking, telecom, automotive, medical, industrial, consumer electronics, aerospace and beyond.
While firewalls are charged with protecting perimeters of organizations, they are actively managed and monitored devices, frequently from a central location. For every firewall, there is a human who wakes up each morning with a question, “Is my firewall working? Is it up to date?” Within days of an update becoming available, these humans schedule a maintenance window and close the security gap.
However, for the overwhelming majority of other devices connected or exposed to the internet, there is no such human, and the number of these IoT devices is larger than that of firewalls by several orders of magnitude. It is this multitude of connected devices that are not actively managed or patched that poses an iceberg-like risk to the internet.
Vulnerabilities are eventually discovered for even the best software, and the security of the internet and the online ecosystem relies on the ability to roll out and deploy the fixes.
In the mid-year update to the 2019 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers have already logged 13.5 million IoT attacks, which outpaces the first two quarters of 2018 by 54.6%.
This reality is taking hold in the minds not only of security practitioners, but also of government regulators, as the hundreds of millions of IoT devices are found to be vulnerable and remain unpatched.
This is one of the risky underbellies of the internet, led by the explosion of IoT devices, including consumer-grade devices that are frequently deployed at the edge of the internet and then forgotten for a decade. IoT’s broad reach should reverberate through several industries as a wakeup call.
‘Never stop patching’
The weaponization of published vulnerabilities against old software serves as an important reminder that customers should never procrastinate software updates, which are one of the most important steps you can take to secure your infrastructure against today’s rapidly-evolving threat landscape.
Do not ignore them or put them off. Patch now. And never stop patching.