Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0224
Wind River VxWorks IPnet TCP/IP Stack Vulnerabilities
30 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VxWorks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-12265 CVE-2019-12264 CVE-2019-12263
CVE-2019-12262 CVE-2019-12261 CVE-2019-12260
CVE-2019-12259 CVE-2019-12258 CVE-2019-12257
CVE-2019-12256 CVE-2019-12255
OVERVIEW
Multiple vulnerabilities have been discovered in the Wind River
VxWorks platform. [1] [2]
The Canadian Center for Cyber Security provides the following
information about Wind River VxWorks:
"Wind River VxWorks Platform is a real-time operating system widely
used in ICS-related devices and deployed across several sectors,
including Communications, Critical Manufacturing, Energy, Healthcare
and Public Health, Transportation Systems, Water and Wastewater
Systems, and others.
Multiple vulnerabilities exist in the VxWorks default TCP/IP Stack
(called IPnet). These vulnerabilities are present in all recent
versions of non-certified VxWorks. Some of these vulnerabilities can
lead to remote code execution, denial of service and information
leaks." [1]
AFFECTED PRODUCTS
The Canadian Cyber Centre provides the following information regarding
affected products:
"
Devices using the following VxWorks versions that use the TCP/IP
stack may be affected by one or more of these CVEs:
All currently-supported versions of VxWorks (6.9.4.11, Vx7
SR540, Vx7 SR610).
Previous versions of VxWorks from 6.5 onwards.
All versions of the discontinued product Advanced Networking
Technology (ANT).
IPnet used as a standalone TCP/IP network stack (prior to 2006).
The VxWorks bootrom network stack.
WindRiver VxWorks products not affected:
VxWorks 5.3 through 6.4 inclusive.
All VxWorks Cert versions.
VxWorks 653 versions 2.x and earlier.
VxWorks 653 MCE 3.x
CertEdition and later.
VxWorks 653 MCE 3.x may be affected." [1]
IMPACT
The Canadian Center for Cyber Security has posted the following
information regarding the vulnerabilities:
"The following vulnerabilities exist in the VxWorks TCP/IP Stack:
CVE-2019-12255 - TCP Urgent Pointer = 0 leads to integer underflow.
CVE-2019-12256 - Stack overflow in the parsing of IPv4 packets’ IP options.
CVE-2019-12257 - Heap overflow in DHCP Offer/Ack parsing inside ipdhcpc.
CVE-2019-12258 - DoS of TCP connection via malformed TCP options.
CVE-2019-12259 - DoS via NULL dereference in IGMP parsing.
CVE-2019-12260 - TCP Urgent Pointer state confusion caused by malformed TCP AO option.
CVE-2019-12261 - TCP Urgent Pointer state confusion during connect() to a remote host.
CVE-2019-12262 - Handling of unsolicited Reverse ARP replies (logic flaw).
CVE-2019-12263 - TCP Urgent Pointer state confusion due to a race condition.
CVE-2019-12264 - Logic flaw in IPv4 assignment by ipdhcpc DHCP client.
CVE-2019-12265 - IGMP information leak via IGMPv3 specific membership report.
" [1]
MITIGATION
The Canadian Cyber Centre provides the following advice for affected
customers:
"SUGGESTED ACTION
Wind River has released a new version of the VxWorks real-time
operating system (VxWorks 7 SR620) which includes patched code to
address these vulnerabilities. If possible, upgrade to the latest
version of VxWorks.
Effectively segment networks and implement demilitarized zones
(DMZs) with properly configured firewalls to selectively control and
monitor traffic passed between zones.
Minimize network exposure for all control system devices and/or
systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls,
and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual
Private Networks (VPNs), recognizing that VPNs may have
vulnerabilities and should be updated to the most current version
available. Also recognize that VPN is only as secure as the
connected devices.
" [1]
Wind River provides the following information:
"The following versions of VxWorks using the IPnet stack are
impacted (not all vulnerabilities apply to all products):
VxWorks 7 (SR540 and SR610) VxWorks 6.5-6.9 Versions of VxWorks
using the Interpeak standalone network stack
Note: The latest release of VxWorks 7 (SR620) is not affected.
Please view the Security Advisory for full details.
Wind River customers with additional questions about these
vulnerabilities should contact Wind River Customer Support or their
local Wind River representative for more information. If you own a
device that is impacted by these vulnerabilities, please contact
your device manufacturer." [2]
REFERENCES
[1] Wind River VxWorks IPnet TCP/IP Stack Vulnerabilities
https://cyber.gc.ca/en/alerts/wind-river-vxworks-ipnet-tcpip-stack-vulnerabilities
[2] SECURITY VULNERABILITY RESPONSE INFORMATION
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/
[3] SECURITY ADVISORY: WIND RIVER TCP/IP STACK (IPNET) VULNERABILITIES
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/security-advisory-ipnet/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXT/kUGaOgq3Tt24GAQjeOxAAtoWC0bd6ytVpCVOUZV3pgEDsjECpI0jo
woPoaYDg/pu7/Gl6FgDYSX5RFwsWrD700irSI3rMoU1cH9IzGMRtr8XfOddRlEXq
m4FYTrpXqwHCPhSzOSFWRJw5181vfgE/rmt9xzf3juqd1yr43QE132IVIEvi0HHh
d778edBfAJCtqIHS8oBMzR4dDQJKhbA7ZmxcauFCiqKd1v+BFZklfSghbpX3Fb4f
Horl6gFvw7pQrJTSoNkq65CQiShP4UPY54iQXKvAjUbSj5jCG3mjKOhaPGl4RiKD
nxKX5L2fP+uEfWU9K3nOwmnrSjyT9ZQJfouPbuhWVb4Uvk3XbFTYleIvGxyoOu2r
/sszvaqG8tM4tBDG67vHHon+0nnqSiOdbOjUnBU+kgsc5mlk4PBshe/xKU14C32P
o1gwaf3/odPJXHV7DELxDcM2Av8A3j4BjQgrMi6lPOh1+IqXxogBCiWtXC9J5+Ui
CIixrzrJRLgNJbJDch60yTG+g3XW3cYGRmhXsOymHwMOE9K6IcADMKjUD3hGsC0l
H11tfEGYihn7YMOGkUePZkfMQ3xSNkY6F5vZK0MPQs0RQWTrYukZ9rCtjjltsHQM
B2SE8pmAfCnpfFZxHlKe/KAy3xnH8lift8ao+C4fYX+NcsDdlXjnt8TS5e3gQwnD
E53JRuKaYHQ=
=Eqxw
-----END PGP SIGNATURE-----