Wind River VxWorks: Update/Clarification
By Dinyar Dastoor
Wind River’s flagship VxWorks product is a leading real-time embedded operating system (RTOS) used widely in devices around the world for the last 25 years. Recently at a conference in London, a researcher presented a paper on a potential device vulnerability found in VxWorks. The potential vulnerability is present when, and only when, the optional RPC (Remote Procedure Call) feature is configured to be included in a device. Specifically, when the RPC feature was included on a device, and the network port is left open, the researcher found that it was possible to crash a device with the attack.
Wind River takes product security and vulnerabilities very seriously. Prior to the conference, the findings were reported to Wind River and immediately acknowledged by Wind River security architects. Our security response process identified the affected VxWorks versions, and validated patches for each of those affected products. Since then, Wind River has issued a security advisory through our support system and patches for all supported versions that could be subjected to this attack. We are thankful to researchers for finding vulnerabilities and giving affected companies a heads up to issue patches.
The VxWorks OS is different than standard desktop OSes like Windows, Linux or Mac OS. These desktop OS platforms are “pre-configured” and delivered to end users. The end user has practically no control on what gets included in the core of the operating system, and when a security vulnerability is detected, almost every device is simultaneously affected.
VxWorks on the other hand, as an embedded RTOS, is designed to be highly configurable to fit the resources of available processors, memory and storage. In most cases, it is delivered in source form allowing device designers to include or exclude various components to optimize for performance, security and safety. Like all security protection, device designers make design tradeoffs on amount of security layers they would like to include depending upon the environment in which the device will be functioning.
In the present case, the vulnerability gets exposed only in devices where device designers have included the RPC component and kept its network port open. A hacker would need access to device’s network, have the device’s IP address and the ability to send RPC requests to the device with specially crafted parameters. Wind River issued a patch through the Wind River support system to prevent a malformed RPC request from causing a crash, however as device designer, it is best to design multiple layers of protection into devices, including the layers of protection VxWorks offers.
Important to note: Since this vulnerability was presented at the conference, there have been some misleading media coverage speculating that the Boeing 787 Dreamliner and NASA’s Curiosity Mars Rover could be subjected to this vulnerability. These speculations are wrong. The Boeing 787 Dreamliner runs VxWorks 653, a different, but related Wind River OS platform; VxWorks 653 does not contain the affected optional RPC component. NASA’s Curiosity Mars Rover does not use the affected VxWorks optional RPC component.
VxWorks is one of several operating system products in the Wind River product portfolio. The identified vulnerability does not affect Wind River products outside of the VxWorks product line.
The latest version of VxWorks (version 7) has been designed with modular security layers offering designers the flexibility to create multiple layers of security protection. You can find details here: http://windriver.com/products/vxworks/technology-profiles/#security
Wind River customers can access our latest security updates here: http://www.windriver.com/feeds/wind_river_security_notices.xml