Critical Flaws Discovered in Widely Used Embedded OS
Angela Moscaritolo writes on SC Magazine:
Two critical vulnerabilities have been discovered in mission-critical systems used in 500 million devices, including VoIP phones, telecom equipment, military routing devices, automobile controls and spacecraft.More here.
Last week at the Security B-Sides and DEFCON conferences in Las Vegas, HD Moore, chief security officer at Rapid7 and founder and chief architect of Metasploit, disclosed two critical vulnerabilities in VxWorks, which is used to power Apple Airport Extreme access points, Mars rovers and C-130 Hercules aircrafts, in addition to microwaves, switches, sensors, telecom equipment and industrial control monitors.
VxWorks has a service enabled by default that provides read or write access to a device's memory and allows functions to be called, Moore told SCMagazineUS.com on Tuesday. The vulnerable service, called WDB agent, is a “debugger” for the VxWorks operating system that is used to diagnose problems and ensure code is working properly when a product is being developed.
The debugging service, a selectable component in the VxWorks configuration enabled by default, is not secured and represents a security hole in a deployed system, according to an advisory issued by the US-CERT on Monday.