In 2019, Wind River was notified by security researchers of identified vulnerabilities in the IPnet networking stack which is used in various real-time operating systems (RTOS), including specific versions of VxWorks, the world's most widely used RTOS. These vulnerabilities, dubbed "Urgent/11", could potentially impact certain configurations of connected devices which used IP net-working, although at that time (nor at any time since) was there any indication of the discovered vulnerabilities having ever been exploited in the wild. In this paper, we will present Wind River's security response, including the timeline of events, analysis of vulnerabilities and issuance of patches to help device makers mitigate potential risks to deployed systems, and lessons learnt. The importance of a coordinated Responsible Disclosure will also be presented, along with the communication approach Wind River used for internal communications and externally with its customers.
展开▼