IoT security startup Armis said it discovered 11 zero-day vulnerabilities, dubbed Urgent/11, in Wind River VxWorks, a real-time operating system used in more than 2 billion devices across industrial, medical, and enterprise environments

“It is the most widely used, commercial real-time operating system,” said Michael Parker, Armis chief marketing officer, adding that this OS is used in mission-critical systems such as elevator and industrial controllers, other control systems, patient monitors, MRI machines, firewalls, routers, modems, VOIP phones, and printers. “It is pervasive in the enterprise space.”

The vulnerabilities affect VxWorks versions released in the last 13 years since version 6.5 including the IPnet stack. Urgent/11 does not impact versions of the product designed for certification, such as VxWorks 653 and VxWorks Cert Edition.

Wind River issued patches to fix the vulnerabilities, and both the software company and Armis say they aren’t aware of any instances in which Urgent/11 has been exploited.

But because this particular OS is so pervasive across enterprise devices and used in equipment manufactured by Siemens, ABB, Emerson Electric, Rockwell Automation, Mitsubishi Electronic, Samsung, Ricoh, Xerox, NEC, Arris, and others, it’s difficult to know if all the flaws have been fixed, Parker said.

“More than 200 million devices are vulnerable to this and need patching,” he said. “And the devices that are impacted — these are brand-name companies that play in manufacturing and healthcare and enterprise that use the Wind River solution. Some of these we have been working with, and some we have not. There’s just so many.”

Urgent/11 includes six critical, remote code execution vulnerabilities. These could give an attacker full control over a targeted device via unauthenticated network packets. Any connected device running VxWorks that includes the IPnet stack is affected by at least one of the discovered vulnerabilities.

This includes some devices that are located at the perimeter of organizational networks that are internet-facing such as modems, routers, and firewalls. Any vulnerability in such a device may enable an attacker to breach networks directly from the internet.

“This is something unique about this vulnerability because most attacks from the internet require some user interaction, and this doesn’t require such action,” said Ben Seri, VP of research at Armis. “An attacker can come in from the internet and directly attack the firewall through the internet, then he can gain access to the network.”

Devices protected by perimeter security tools such as firewalls also can be vulnerable once the devices create Transmission Control Protocol (TCP) connections to the internet. These connections can be hijacked and used to trigger the discovered TCP vulnerabilities, allowing attackers to take over the device and access the internal network.

A hospital printer connected to a cloud printing service and protected by a firewall is an example, Seri said. “If an attacker can initiate the connection, he can trigger the vulnerability, and can gain access through the printer. The printer is the way he gets inside the door, and then he can try to attack anything inside the hospital,” he explained. This could include stealing patient data as well as changing patient information and manipulating a patient’s vitals or creating false alarms.

“We’re in a new age of connected devices, and these — like patient monitors, industrial controllers, even firewalls — are unmanaged or unagentable,” meaning you cannot install agents on them, Parker added. “The key take away is we have a whole new generation of devices that are used throughout the business and are vulnerable. These devices have to be properly secured.”