VxWorks flaws allow access to numerous network devices

The embedded VxWorks operating system by Intel offshoot Wind River is found in various devices, such as Apple's Airport Extreme router, in printers and in VoIP phones. VxWorks cruises along motorways in car navigation systems and roams on Mars in a NASA rover. Wind River markets VxWorks in modular form and hardware vendors license and use relevant modules to build their own firmware. The incorrect implementation of two of these modules has now turned out to be the cause of security holes in numerous devices.

One of the modules in question handles the network access to the debugger. During product development, the remote debugger allows developers to read out and edit the entire device memory and to call arbitrary functions. For speed and convenience, there is no access control for this debugger, but unfortunately some vendors forget to disable debugger access in their finished products. The discoverer of this mistake didn't need long to find more than 450 affected firmware versions in a variety of devices.

Together with the US-CERT, he informed over 50 affected device vendors about the problem in June. So far, only one of the vendors (Rockwell Automation) has released a statement and only Cisco has responded by updating the firmware of a VoIP phone. However, it seems that other hardware developers have noticed their mistake at some point and kept quiet about it, as only some obsolete firmware versions are affected in some devices. For instance, the firmware of Apple's Airport Extreme was found to be secure from version 5.4 onward.

The VxWorks debugger uses UDP port 17185. Devices that don't respond on this port are not affected.

The second problem is caused by a module used by hardware vendors to permanently incorporate a user name and password into their firmware. As the Wind River developers were a bit clumsy when programming the log-in procedure's password check, attackers only need to try about 8,000 passwords to be successful. They have all the time in the world to do this, because the VxWorks FTP server allows an unlimited number of log-in attempts. This vulnerability only exists if a hardware vendor keeps the default log-in enabled in a fully configured system, which Wind River advises customers to avoid. It also requires the vendor to have used the password functions Wind River provides, and the attacker to know the default access name.

The reports don't mention exactly how many devices are affected by this problem. However, as default user names and passwords for most devices tend to be available on the internet, this flaw does simplify the search to some degree.

(crve)