By Arlen Baker, Wind River Chief Security Architect
Working with the Security Research Community
At Wind River, security is embedded in our DNA. It is part of our rich heritage of nearly 40 years in mission-critical systems. It is built into all the technologies we provide to help our customers develop trusted and reliable solutions. We take security extremely seriously, which is why the recent vulnerabilities discovered within the TCP/IP (IPnet) networking stack, dubbed “Urgent/11,” has resulted in the most secure VxWorks to date.
The vulnerabilities were discovered by researchers at security vendor Armis, and through mutually embraced Responsible Disclosure, Wind River’s dedicated security incident response team worked closely with Armis to ensure customers were notified and provided patches and mitigation options. This shared, collaborative process was designed and executed to help device makers mitigate potential risks to their users. We thank the security researchers for their role in helping us discover these vulnerabilities in the IPnet networking stack.
Important to note, these vulnerabilities are not unique to Wind River software. The IPnet stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of other real-time operating system (RTOS) vendors.
As the supplier of the world’s most widely used and trusted RTOS, we’re in the ranks of leading technology companies that have a responsibility to have a prudent security response process in place. This is one of the many things our customers can rely on us for.
The IPnet networking stack is a component of some versions of VxWorks, including end-of-life (EOL) versions back to 6.5. Specifically, connected devices leveraging older standard VxWorks releases that include the IPnet stack are impacted by one or more of the discovered vulnerabilities. The latest release of VxWorks is not affected by the Urgent/11 vulnerability, nor are any of Wind River’s safety-critical products that are designed for safety certification, such as VxWorks 653 and VxWorks Cert Edition used in critical infrastructure.
Those impacted make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organizational networks that are non-critical and internet-facing such as modems, routers, and printers, as well as some industrial and medical devices. The 200 million number cited by Armis is not confirmed, nor do we believe it to be that high.
Not all vulnerabilities apply to all impacted versions. To date, there is no indication the Urgent/11 vulnerabilities have been exploited in the wild. Organizations deploying devices with impacted versions of VxWorks that have the IPnet networking stack should patch impacted devices immediately.
The Importance of Defense-in-Depth
It is hard to find vulnerabilities in code, and there are people who will attack the code in ways you didn’t anticipate. Further, it is not uncommon for security vulnerabilities to go undetected for many years. There are many examples: Spectre/Meltdown existed in millions of processors from dozens of manufactures and went undetected for a decade; OpenSSL vulnerabilities like Heartbleed existed for many years. The fact is, modern software systems are complex with very rich functionality and large code bases written over many years with a constantly advancing awareness of secure programming and constantly increasing levels of scrutiny.
For this reason, Wind River takes a systematic approach to securing an embedded system – see Wind River Helix Security Framework. This decomposition of the industry standard Confidentiality, Integrity, and Availability (CIA) Triad into security-related categories, and those categories into security related implementations, define the Security Policy of the embedded system. The collection of security-related implementations to protect an embedded system aligns directly with the concept of Defense–in-Depth. If device makers follow these best practices they are protected from many vulnerabilities that could otherwise be exploited.
The following built-in VxWorks security features can be applied to form a robust system and protect against the identified IPnet vulnerabilities:
|VxWorks Security Feature||Principle||Category||Implementation|
|Non-executable stack||Availability||Intrusion Protection||Malicious Software Prevention|
|Real Time Processes||Confidentiality||Separation||Partitioning|
|System Call Access control||Availability||Whitelisting||Access Control|
|Task stack overrun/underrun||Availability||Intrusion Protection||Malicious Software Prevention|
|Deterministic Memory Usage||Availability||Countermeasures||Attestation|
A complete review of the customers’ system is required to define a comprehensive Security Policy.
From a Homeland Security report*, “Organizations cannot depend on a single countermeasure to mitigate all security issues.” From an Information Assurance Directorate report*, “Unfortunately, the use of an SKPP certified kernel as one part of a system does not immediately make a system in totality highly robust.” In simplified terms, reliance on a single component is a failed security strategy.
Architecting a Secure System with Wind River Software
While no software is immune from zero-day vulnerabilities, customers can build their trusted systems using Wind River software with confidence. Our stringent release process includes regression/network testing, static analysis and malware scans. Our CVE monitoring/assessment, along with security services offerings, ensure that the most hardened system is initially fielded, but also maintained over the life of that system. We are also supported by a robust security ecosystem comprised of companies that complement our offerings and expertise.
Wind River Professional Services provides the following security-related offerings:
- Long Term Security Services – applying security patches from supported products to EOL and legacy versions of that product
- Security Assessment – taking a holistic view of the customer embedded system, operational environment and determine the best approach to securing the system
- Embedded Security Training – provides foundational training to the customer’s staff on how to build a secure embedded system
- FIPS 140-2 and Common Criteria Evaluations – enables a further reach of customer’s products to Government organizations
- Security Feature Configuration Review
- Information Assurance Foundation – further enables hardware-based security features (e.g., SEC engine, TPM, etc.) to create a customized solution for the customer
Our solutions and services deliver everything needed to secure hardware and software, protect communication between devices and across systems, safeguard them over time, and respond quickly as new threats emerge. Additionally, our development processes and security capabilities meet rigorous requirements in place across many industries. Click here to learn more.
For more information on the IPnet vulnerabilities, including the security advisory, FAQ, patch information, and other mitigation options see the Wind River Security Alert. You can also contact Wind River Support with any questions.
As always, Wind River stands ready to assist our customers in securing their devices and systems.
* Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies, September 2016
*Separation Kernels on Commodity Workstations, March 2010