Last week the real-time embedded systems vendor Wind River Systems released security updates for a large number of critical infrastructure systems.
If any of your enterprise clients use within their network perimeter: modems, routers, firewalls, printers, industrial control or medical monitoring devices; check if any of those devices use Wind River’s VxWorks software based on their TP/IP stack (IPnet). If so, review the FAQs and security advisory linked to below to install the necessary updates.
Why should these vulnerabilities be considered important?
The sheer number of affected devices is thought to be very large due to the prevalence of devices running the vulnerable VxWorks software. I realize the list of devices above is very generic but the FAQs and security advisory are not vendor or model specific. This means you may have some of these devices and not even realize it. Verifying if they are using VxWorks and what version will be a priority.
Since medical monitoring and industrial control devices are included in this advisory; if these vulnerabilities are exploited there is the potential for a threat to human life. E.g. if incorrect results are displayed on a medical device, too much medication is administered, or if temperatures exceed safe levels in an industrial control system.
Due to the nature of four of the vulnerabilities; a border firewall will not always be enough to prevent an attacker exploiting. Broadcast packets could be sent to every device in the network, compromising them all at once.
How can I protect my organization from these vulnerabilities?
Review the FAQs and the security advisory and take the necessary steps to install the relevant patches. If your organisation is affected; first apply the necessary mitigations to any vulnerable device you initially discover while you assess the remaining number of impacted devices and develop a plan/schedule to approach the installation of the patches:
Mitigations listed on Page 3 (onwards) of this security advisory:
From my understanding of the information provided by Wind River they are directly contacting their affected clients and may offer paid for assistance to resolve these vulnerabilities for out of support devices. However, there is a possibility they may inadvertently miss an affected organisation. Please contact Wind River if in doubt:
Wind River’s Blog Post:
Kaspersky ThreatPost article: