Security Vulnerabilities in VxWorks OS

Wednesday, August 11, 2010 @ 05:08 PM gHale


Two critical security bugs that could allow a hacker to take control of a VxWorks operating system that powers products from multiple venders plus industrial control systems.
VxWorks is a real-time operating system used in embedded systems, including control system components. While not all products using VxWorks are vulnerable, ICS-CERT recommends end users contact their vendors to determine if their products are vulnerable. Wind River Systems developed VxWorks. Intel bought Wind River last year.
HD Moore, chief security officer at Rapid7, said the vulnerabilities rest in the VxWorks debug service and the hashing algorithm used in the standard authentication API for VxWorks. If exploited, the flaw in the VxWorks debug service (WDB Agent) could permit an attacker to potentially hijack the entire operating system.
The flaw occurs because there are only 210,000 possible hash outputs for all possible passwords, Moore said. An attacker can cycle through the most common ranges of hash outputs of about 8,000 work-alike passwords to gain access to a VxWorks device. Using the FTP protocol, this attack would only take about 30 minutes to try all common password permutations.
Access to the debug service could result in information disclosure or denial-of-service attacks against the affected device, ICS-CERT officials said. Complete control of the device may be possible. The authentication vulnerability could allow an attacker to guess the password and gain unauthorized access to the device.
Brute forcing a password is not difficult, and software tools exist to automate the process, ICS-CERT officials said. Exploiting the authentication API vulnerability is easier because there is no default account lockout. There is no disconnection for too many incorrect login attempts.
End users should restrict access to debug port 17185/udp with appropriate firewall rules, ICS-CERT officials said. It is good security practice to block all ports not explicitly needed for operation, they added. This is part of the “default deny” policy.
Users should restrict access to any service that uses the standard default authentication (e.g., rlogin, Telnet, FTP) with appropriate firewall rules. If possible, they should disable these services if not needed. Intrusion detection/prevention systems can detect brute force attacks (password guessing) against such services.
Among the advice from ICS-CERT is a recommendation that vendors using VxWorks in their products change the default hashing algorithm in the standard authentication API in favor of a trusted authentication API.
To address the Debug Service issue, vendors can remove the WDB target debug agent in their VxWorks-based products by removing the INCLUDE_WDB & INCLUDE_DEBUG components from their VxWorks Image. In addition, enterprises worried about the issue can adjust their firewall rules to restrict access to the debug service over UDP port 17185 to only trusted sources until affected vendors release a patch.
Moore gave presentations on the issues at the Security B-sides and DEFCON 18 conferences in Las Vegas.
A spokesperson for Wind River said the company responded and “distributed patches and remediation steps” in conjunction with the CERT announcement.
The following is a list of affected vendors issuing updates on the debug service. The following is a list of affected vendors issuing updates on the weak default hashing algorithm.



Leave a Reply

You must be logged in to post a comment.