VxWork creates remote security hole in networks

Wind Rivers operating system VxWorks (which is used on Apple’s Airport Extreme router, VoIP phones, in printers, navigational equipment, and can even be found in NASA technologies) contained two modules that if were not properly configured by vendors, created security holes that compromise the devices they are used on.

The first module manages how the debugger is accessed via a network.

Since the developers need to debug, test, and constantly modify the software in the device; the module did not implement any access control features for their debugger.

This would leave the device totally helpless if vendors or developers forgot to disable this feature in their finished products.

When this bug was discovered, hundreds of firmware in different devices were already affected with this bug. 

With the help of US-CERT, the 54 affected vendors were informed about the problem last June. This prompted some vendors such as Cisco to update their firmware.

Other vendors seem to have been better prepared as in the case with Apple where its Airport Extreme was already secure (devices with firmware version 5.4 and higher).

It seems that their hardware developers already spotted the problem and silently but promptly remedied it. 

The debugger uses the protocol UDP over port 17185

Luckily, devices that don’t use this port aren’t affected.

The second module allows hardware vendors to hardcode the username and password into the firmware of the device.

This would be okay, but for the sloppy implementation of its password checker.

Since the VxWorks FTP server has no limit when it comes to allowing log-in attempts, it is like the vendors are handing over their devices to be hacked on a silver platter.

A hacker would only need to know the vendor’s default access name and attempt to log-in 8,000 times before being able to fully compromise a device.

The vendor would have to disable the default log-in in their systems to repel this kind of attack.

Wind River encourages all its customers to do this. This problem would not be an issue if vendors used their own password functions.

The extent of the devices which are affected with these problems is not clearly known.

With the help of the internet, looking for devices affected by these flaws just becomes a tad easier.