Wind River Software VxWorks RTOS Weak Password Hashing Algorithms

Title

VxWorks Weak Password Hashing Algorithms

Product

Wind River Software VxWorks RTOS

Vulnerable Version

>= VxWorks 6.9

Fixed Version

not available

CVE Number

no CVE assigned by Wind River

Impact

high

Homepage

https://www.windriver.com/

Found

21.03.2024

By

Steffen Robertz (Office Vienna), Constantin Schieber-Knoebl (Office Vienna), Stefan Viehboeck (Office Vienna) | SEC Consult Vulnerability Lab

The password hashing algorithms used in VxWorks 6.9 and VxWorks 7 are weak and can be cracked efficiently.

Vendor description

"VxWorks is a real-time operating system (or RTOS) developed as proprietary software by Wind River Systems, a subsidiary of Aptiv. First released in 1987, VxWorks is designed for use in embedded systems requiring real-time, deterministic performance and in many cases, safety and security certification for industries such as aerospace, defense, medical devices, industrial equipment, robotics, energy, transportation, network infrastructure, automotive, and consumer electronics."

Source: https://www.windriver.com/

Business recommendation

SEC Consult advises affected Wind River VxWorks customers to perform thorough security reviews of their products to assess whether and how they are impacted by these vulnerabilities. As a mitigation measure, customers should avoid using the built-in authentication mechanisms of the VxWorks operating system and instead implement and use modern password hashing algorithms with a sufficiently high cost factor.

Vulnerability overview/description

1) VxWorks 6.9 Weak Password Hashing Algorithm (no CVE assigned by Wind River)

The password hashing algorithm introduced in VxWorks 6.9 is considered insecure. This algorithm employs a single iteration of SHA-256 combined with a salt to hash user passwords. This method was intended to replace a previous proprietary hashing algorithm that was susceptible to collision attacks (CVE-2010-2965). 

However, even at the time of its release in 2011, the use of a single iteration for password hashing was deemed inadequate. For comparison, md5crypt (introduced in 1994) uses 1,000 iterations, and sha256crypt (introduced in 2008) uses 5,000 iterations. This hashing algorithm is approximately 600,000 times weaker than current standards (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2).

An attacker who extracts user password hashes from a VxWorks-based device can efficiently crack the passwords using a GPU cracking setup (e.g., hashcat on RTX 4090). Potential vectors for extracting user hashes include:

  • Physical access to the device memory via hardware hacking (e.g. bootloader  access via UART, dumping of memory chips, JTAG, etc.)
  • Remote access to device debug interfaces
  • Access to firmware update files containing hard-coded users accounts  (e.g. vendor backdoors added via the loginUserAdd() function)

2) VxWorks 7 Weak Password Hashing Algorithm (no CVE assigned by Wind River)

The password hashing algorithm used in VxWorks 7 (24.04) is also considered insecure. This algorithm uses 5,000 iterations of SHA-256 combined with a salt to hash user passwords. The specific version in which this hashing algorithm was introduced remains unknown to the authors. Nonetheless, this algorithm is still 5,000 times weaker than current standards (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2).

The same attack vectors mentioned in issue #1 apply here. Modern embedded systems possess the computational power necessary to perform secure password hashing. Introducing a new password hashing scheme with a default cost factor that provides robust defense against GPU cracking is essential. Additionally, developers should have the flexibility to set a lower, albeit less secure, cost factor for devices with limited computational resources.

Proof of concept

1) VxWorks 6.9 Weak Password Hashing Algorithm (no CVE assigned by Wind River)

The password hashes can be cracked using the hashcat hash type 1420 "sha256($salt.$pass)" and the --hex-salt option. The following Python script re-implements the hashing algorithm in Python and demonstrates how hashes can be prepared for cracking with hashcat.

```python
from hashlib import sha256
from base64 import b64decode, b64encode

def format_pw_vx69_hashcat(pw_hash_base64,salt_base64):
    # formats hash for cracking with hashcat hash type 1420 "sha256($salt.$pass)" and the --hex-salt option
    hash = b64decode(pw_hash_base64)
    salt = b64decode(salt_base64)
    print('%s:%s'%(hash.hex(),salt.hex()))

def hash_pw_vx69(password, salt_base64):
    salt = b64decode(salt_base64)

    hash_input = salt + password.encode()

    digest = sha256(hash_input).digest()
    digest_base64 = b64encode(digest).decode()

    return digest_base64

salt = 'BFqADK/VLEk='
pw_hash = 'm4qJ/O/Iam+2AdBmwD7+cav+W6HABSdMF2yQyK+rIQA='

format_pw_vx69_hashcat(pw_hash,salt)

if hash_pw_vx69('password', salt) == pw_hash:
    print('Hashes match!')
```

2) VxWorks 7 Weak Password Hashing Algorithm (no CVE assigned by Wind River)

Cracking these hashes requires the implementation of a hashcat "sha256($salt.$pass)" variant that uses 5,000 rounds.

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • VxWorks 6.9 Weak Password Hashing Algorithm was verified on a device  based on VxWorks 6.9
  • VxWorks 7 Weak Password Hashing Algorithm was verified on a device  based on VxWorks 7 (24.04)

Vendor contact timeline

2024-07-10 Contacting vendor through psirt@windriver.com, attaching encrypted security advisory. Vendor confirms receipt and is working on it.
2024-07-22 Requesting a status update. Vendor asks for exact version number of 6.9 to determine next steps.
2024-07-24 The analyzed device used 6.9.4.12, but stating that all 6.9.x versions are affected.
2024-07-25 Vendor wants to discuss further details and requests a meeting.
2024-07-29 Asking for brief summary of initial analysis and timezones.
2024-08-09 Vendor provides a write-up of their current position on these issues.
2024-09-02 Delayed response from our side due to vacation, providing remarks on the vendor's statement and proposing a few dates.
2024-09-10 Conference call with vendor, discussing positions and next steps.
2024-09-10 Vendor informs us about their final decision to treat the issue as a "feature upgrade" and not a vulnerability. No ETA on implementation.
2024-10-10 Relaying vulnerability information to "company that builds their devices on VxWorks" - where the vulnerability was initially found.
2024-10-22 Conference call with "company that builds their devices on VxWorks".
2024-11-21 Company that builds their devices on VxWorks confirms their products are not affected by the issue as they are not using the VxWorks OS authentication mechanisms.
2025-01-17 Contacting vendor to inform them about the upcoming publication, asking if they have informed their customers and if there are any resources available for reference.
2025-01-17 The vendor responds, stating that they have been in contact with the "company that builds their devices on VxWorks," but they do not confirm whether they have reached out to other affected customers or published any resources.
2025-01-27 Public release of advisory and blog post https://r.sec-consult.com/vxblog

Solution

There is no solution available. Please contact the vendor for further information.  

Workaround

The vendor did not publish any information on possible workarounds. Please contact the vendor for further information.

SEC Consult advises affected Wind River VxWorks customers to perform thorough security reviews of their products to assess whether and how they are impacted by these vulnerabilities. As a mitigation measure, customers should avoid using the built-in authentication mechanisms of the VxWorks operating system and instead implement and use modern password hashing algorithms with a sufficiently high cost factor.

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF Steffen Robertz, Constantin Schieber-Knoebl, Stefan Viehboeck / @2025

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices.

 

Back