Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The VxWorks OS running also on the Curiosity Rover is flawed

A security expert discovered a critical flaw in the VxWorks, one of the most reliable real-time operating systems for the IoT also used by the Curiosity Rover. The Canadian security researcher Yannick Formaggio has discovered an important flaw in VxWorks which is the real-time operating system (RTOS) developed by the Wind River, an Intel’s subsidiary. VxWorks is one […]

The VxWorks OS running also on the Curiosity Rover is flawed

A security expert discovered a critical flaw in the VxWorks, one of the most reliable real-time operating systems for the IoT also used by the Curiosity Rover.

The Canadian security researcher Yannick Formaggio has discovered an important flaw in VxWorks which is the real-time operating system (RTOS) developed by the Wind River, an Intel’s subsidiary. VxWorks is one of the most reliable real-time OS for the Internet of Things.

This family of OS is considered extraordinarily reliable and secure, they run in aviation components, industrial equipment, and also the Curiosity Rover uses it.

At the recent 44CON conference, Formaggio presented a detailed analysis of an integer overflow bug that could be exploited by an attacker for remote code execution. Formaggio analyzed the VxWorks for a client interested in evaluating it, despite the good performance of the real-time OS de discovered a serious security issue that could be triggered when a credential was set to a negative value.

VxWorks customers

Formaggio could bypass all memory protections and set up a backdoor account using this simple trick. Formaggio will provide further details on its fuzzing system in the next weeks, he also anticipated that he will not disclose the exploit code “unless explicit authorisation given”.

Formaggio also made another worrying discovery related to the VxWorks operating system, the FTP server is affected by ring buffer overflow under specific conditions:

“FTP server is susceptible to ring buffer overflow when accessed at a high speed” and crashes when sent a “specially crafted username and password”.

The security issues affect the VxWorks Versions 5.5 through 6.9.4.1, we are speaking about millions of devices need patching.

Wind River confirmed the presence of the flaw in its VxWorks system and plans to distribute a security update as soon as possible.

If you are a Wind River customer check for the availability of security patch.

Pierluigi Paganini

(Security Affairs – Wind River VxWorks, Internet of Things)