Urgent/11 further boosts VxWorks security
At Wind River, security is embedded in its DNA. It is part of the rich heritage of nearly 40 years in mission-critical systems. It is built into all the technologies it provides to help customers develop trusted and reliable solutions. Wind River take security extremely seriously, which is why the recent vulnerabilities discovered within the TCP/IP (IPnet) networking stack, dubbed “Urgent/11,” has resulted in the most secure VxWorks to date.
Guest blog written by Arlen Baker, Wind River Chief Security Architect.
Working with the security research community
The vulnerabilities were discovered by researchers at security company Armis, and through mutually embraced Responsible Disclosure, Wind River’s dedicated security incident response team worked closely with Armis to ensure customers were notified and provided patches and mitigation options. This shared, collaborative process was designed and executed to help device makers mitigate potential risks to their users. Wind River thanks the security researchers for their role in helping discover these vulnerabilities in the IPnet networking stack.
As the supplier of the world’s most widely used and trusted real-time operating system (RTOS), Wind River is in the ranks of leading technology companies that have a responsibility to have a prudent security response process in place. This is one of the many things our customers can rely on Wind River for.
The IPnet networking stack is a component of some versions of VxWorks, including end-of-life (EOL) versions back to 6.5. Specifically, connected devices leveraging older standard VxWorks releases that include the IPnet stack are impacted by one or more of the discovered vulnerabilities. The latest release of VxWorks is not affected by the Urgent/11 vulnerability, nor are any of Wind River’s safety-critical products that are designed for safety certification, such as VxWorks 653 and VxWorks Cert Edition used in critical infrastructure.
Those impacted make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organisational networks that are non-critical and internet-facing such as modems, routers, and printers, as well as some industrial and medical devices. The 200 million number cited by Armis is not confirmed, nor is it believed it to be that high.
Important to note, not all vulnerabilities apply to all impacted versions. To date, there is no indication the Urgent/11 vulnerabilities have been exploited in the wild. Organisations deploying devices with impacted versions of VxWorks that have the IPnet networking stack should patch impacted devices immediately.
These vulnerabilities are not unique to Wind River software. The IPnet stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of other RTOS vendors.
The importance of defence-in-depth
It is hard to find vulnerabilities in code, and there are people who will attack the code in ways you didn’t anticipate. Further, it is not uncommon for security vulnerabilities to go undetected for many years. There are many examples: Spectre/Meltdown existed in millions of processors from dozens of manufactures and went undetected for a decade; OpenSSL vulnerabilities like Heartbleed existed for many years. The fact is, modern software systems are complex with very rich functionality and large code bases written over many years with a constantly advancing awareness of secure programming and constantly increasing levels of scrutiny.
For this reason, Wind River takes a systematic approach to securing an embedded system – see Wind River Helix Security Framework. This decomposition of the industry standard Confidentiality, Integrity, and Availability (CIA) Triad into security-related categories, and those categories into security related implementations, define the Security Policy of the embedded system. The collection of security-related implementations to protect an embedded system aligns directly with the concept of Defence–in-Depth. If device makers follow these best practices they are protected from many vulnerabilities that could otherwise be exploited.
The following built-in VxWorks security features can be applied to form a robust system and protect against the identified IPnet vulnerabilities:
VxWorks Security Feature | Principle | Category | Implementation |
Non-executable stack | Availability | Intrusion Protection | Malicious Software Prevention |
Real Time Processes | Confidentiality | Separation | Partitioning |
System Call Access control | Availability | Whitelisting | Access Control |
Task stack overrun/underrun | Availability | Intrusion Protection | Malicious Software Prevention |
Firewall | Availability | Intrusion Protection | Firewall |
Deterministic Memory Usage | Availability | Countermeasures | Attestation |
A complete review of the customers’ system is required to define a comprehensive Security Policy.
From a Homeland Security report, “Organisations cannot depend on a single countermeasure to mitigate all security issues.” From an Information Assurance Directorate report, “Unfortunately, the use of an SKPP certified kernel as one part of a system does not immediately make a system in totality highly robust.” In simplified terms, reliance on a single component is a failed security strategy.
Architecting a secure system with Wind River software
While no software is immune from zero-day vulnerabilities, customers can build their trusted systems using Wind River software with confidence. The stringent release process includes regression/network testing, static analysis and malware scans. The CVE monitoring/assessment, along with security services offerings, ensure that the most hardened system is initially fielded, but also maintained over the life of that system. Wind River are also supported by a robust security ecosystem comprised of companies that complement the offerings and expertise.
Wind River Professional Services provides the following security-related offerings:
- Long Term Security Services – applying security patches from supported products to EOL and legacy versions of that product
- Security Assessment – taking a holistic view of the customer embedded system, operational environment and determine the best approach to securing the system
- Embedded Security Training – provides foundational training to the customer’s staff on how to build a secure embedded system
- FIPS 140-2 and Common Criteria Evaluations – enables a further reach of customer’s products to Government organisations
- Security Feature Configuration Review
- Information Assurance Foundation – further enables hardware-based security features (e.g., SEC engine, TPM, etc.) to create a customised solution for the customer
The solutions and services deliver everything needed to secure hardware and software, protect communication between devices and across systems, safeguard them over time, and respond quickly as new threats emerge. Additionally, the development processes and security capabilities meet rigorous requirements in place across many industries. Click here to learn more.
Courtesy of Wind River.