New VxWorks Vulnerabilities

Blog Post created by rapid7-admin on Aug 2, 2010

Originally Posted by HD Moore



CERT plans to publish advisories for VU#362332 and VU#840249 today, both flaws in the VxWorks operating system. VxWorks is used to power a wide range of devices, including everything from printers, to fibre-channel switches, and even spacecraft. NeXpose users already have a check in place for VU#362332, while VU#840249 is a bit more complicated and has to be handled at the vendor level. 

The first flaw (VU#362332) refers to an exposed VxWorks debug service (WDB Agent). This service runs over UDP port 17185 and allows complete access to the device, including the ability to manipulate memory, steal data, and ultimately hijack the entire operating system. This service was inadvertently left exposed by over 100 different vendors and affects at least 250,000 devices sitting on the internet today. We strongly recommend that ACLs be put in place for UDP 17185 until you have a chance to assess each of your networks and verify that none of your devices suffer from this issue. The NeXpose check was pushed out in the last update and should detect all instances of this vulnerability. The open source and free to use Metasploit Framework can
also be used to scan for this vulnerability. Our own research indicates that this flaw has already been widely exploited as far back as 2006. You may also refer to our list of known-vulnerable devices, however, keep in mind that this list is not comprehensive. 

The second flaw relates to a weak password hashing implementation in the VxWorks operating system. Any device that uses the builtin authentication library to handle Telnet and FTP authentication can be compromised. The flaw occurs because there are only 210,000 possible hash outputs for all possible passwords. An attacker can simply cycle through the most common ranges of hash outputs of about 8,000 work-alike passwords to gain access to a VxWorks device. Using the FTP protocol, this attack would only take about 30 minutes to try all common password permutations. Since detecting this flaw requires knowing a valid username and knowing that the device uses the built-in library, there is no quick way to scan for this issue across the network. Instead, we recommend that you keep an eye out for any device with a Telnet or FTP banner containing the "VxWorks" string. If you need to confirm that a specific device is not affected, you can also contact the manufacturer and refer to the CERT ID (VU#840249). In some situations, it is possible to detect this flaw by analyzing a  firmware image of the target device. 

While the most commonly found VxWorks devices include printers and print servers, many critical systems have also been found to run the VxWorks operating system and be affected by at least one of these two flaws. Dell's PowerConnect switches, HP's MSA raid controllers, and a large number of fibre-channel switches and VoIP equipment have all been identified as vulnerable. If you would like more information on these issues, please see the
Metasploit blog post and the Fun with VxWorks presentation slides.