-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
Wind River VxWorks IPnet TCP/IP Stack Vulnerabilities
30 July 2019
AusCERT Security Bulletin Summary
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
CVE Names: CVE-2019-12265 CVE-2019-12264 CVE-2019-12263
CVE-2019-12262 CVE-2019-12261 CVE-2019-12260
CVE-2019-12259 CVE-2019-12258 CVE-2019-12257
Multiple vulnerabilities have been discovered in the Wind River
VxWorks platform.  
The Canadian Center for Cyber Security provides the following
information about Wind River VxWorks:
"Wind River VxWorks Platform is a real-time operating system widely
used in ICS-related devices and deployed across several sectors,
including Communications, Critical Manufacturing, Energy, Healthcare
and Public Health, Transportation Systems, Water and Wastewater
Systems, and others.
Multiple vulnerabilities exist in the VxWorks default TCP/IP Stack
(called IPnet). These vulnerabilities are present in all recent
versions of non-certified VxWorks. Some of these vulnerabilities can
lead to remote code execution, denial of service and information
The Canadian Cyber Centre provides the following information regarding
Devices using the following VxWorks versions that use the TCP/IP
stack may be affected by one or more of these CVEs:
All currently-supported versions of VxWorks (126.96.36.199, Vx7
SR540, Vx7 SR610).
Previous versions of VxWorks from 6.5 onwards.
All versions of the discontinued product Advanced Networking
IPnet used as a standalone TCP/IP network stack (prior to 2006).
The VxWorks bootrom network stack.
WindRiver VxWorks products not affected:
VxWorks 5.3 through 6.4 inclusive.
All VxWorks Cert versions.
VxWorks 653 versions 2.x and earlier.
VxWorks 653 MCE 3.x
CertEdition and later.
VxWorks 653 MCE 3.x may be affected." 
The Canadian Center for Cyber Security has posted the following
information regarding the vulnerabilities:
"The following vulnerabilities exist in the VxWorks TCP/IP Stack:
CVE-2019-12255 - TCP Urgent Pointer = 0 leads to integer underflow.
CVE-2019-12256 - Stack overflow in the parsing of IPv4 packetsÃ¢Â€Â™ IP options.
CVE-2019-12257 - Heap overflow in DHCP Offer/Ack parsing inside ipdhcpc.
CVE-2019-12258 - DoS of TCP connection via malformed TCP options.
CVE-2019-12259 - DoS via NULL dereference in IGMP parsing.
CVE-2019-12260 - TCP Urgent Pointer state confusion caused by malformed TCP AO option.
CVE-2019-12261 - TCP Urgent Pointer state confusion during connect() to a remote host.
CVE-2019-12262 - Handling of unsolicited Reverse ARP replies (logic flaw).
CVE-2019-12263 - TCP Urgent Pointer state confusion due to a race condition.
CVE-2019-12264 - Logic flaw in IPv4 assignment by ipdhcpc DHCP client.
CVE-2019-12265 - IGMP information leak via IGMPv3 specific membership report.
The Canadian Cyber Centre provides the following advice for affected
Wind River has released a new version of the VxWorks real-time
operating system (VxWorks 7 SR620) which includes patched code to
address these vulnerabilities. If possible, upgrade to the latest
version of VxWorks.
Effectively segment networks and implement demilitarized zones
(DMZs) with properly configured firewalls to selectively control and
monitor traffic passed between zones.
Minimize network exposure for all control system devices and/or
systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls,
and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual
Private Networks (VPNs), recognizing that VPNs may have
vulnerabilities and should be updated to the most current version
available. Also recognize that VPN is only as secure as the
Wind River provides the following information:
"The following versions of VxWorks using the IPnet stack are
impacted (not all vulnerabilities apply to all products):
VxWorks 7 (SR540 and SR610) VxWorks 6.5-6.9 Versions of VxWorks
using the Interpeak standalone network stack
Note: The latest release of VxWorks 7 (SR620) is not affected.
Please view the Security Advisory for full details.
Wind River customers with additional questions about these
vulnerabilities should contact Wind River Customer Support or their
local Wind River representative for more information. If you own a
device that is impacted by these vulnerabilities, please contact
your device manufacturer." 
 Wind River VxWorks IPnet TCP/IP Stack Vulnerabilities
 SECURITY VULNERABILITY RESPONSE INFORMATION
 SECURITY ADVISORY: WIND RIVER TCP/IP STACK (IPNET) VULNERABILITIES
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----