Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0696
Wind River Systems VxWorks debug service enabled by default
6 August 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VxWorks 6.x
VxWorks 5.x
Publisher: US-CERT
Operating System: VxWorks
Impact/Access: Root Compromise -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2010-2965
Original Bulletin:
http://www.kb.cert.org/vuls/id/362332
Comment: This is not the same vulnerability as described in ESB-2010.0688.
The vendor states that customers are encouraged to follow the
remediation actions outlined in the SOLUTION section of the
vulnerability post.
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#362332
Wind River Systems VxWorks debug service enabled by default
Overview
Some products based on VxWorks have the WDB target agent debug service
enabled by default. This service provides read/write access to the
device's memory and allows functions to be called.
I. Description
The VxWorks WDB target agent is a target-resident, run-time facility
that is required for connecting host tools to a VxWorks target system
during development. WDB is a selectable component in the VxWorks
configuration and is enabled by default. The WDB debug agent access is
not secured and does provide a security hole in a deployed system.
It is advisable for production systems to reconfigure VxWorks with
only those components needed for deployed operation and to build it as
the appropriate type of system image. It is recommended to remove host
development components such as the WDB target agent and debugging
components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating
system components that are not required to support customer
applications.
Consult the VxWorks Kernel Programmer's guide for more information on
WDB.
Additional information can be found in ICS-CERT advisory
ICSA-10-214-01 and on the Metasploit Blog.
II. Impact
An attacker can use the debug service to fully compromise the device.
III. Solution
Disable debug agent
Vendors should remove the WDB target debug agent in their VxWorks
based products by removing the INCLUDE_WDB & INCLUDE_DEBUG components
from their VxWorks Image.
Restrict access
Appropriate firewall rules should be implemented to restrict access to
the debug service (17185/udp) to only trusted sources until vendors
have released patches to disable it.
Vendor Information
Vendor Status Date Notified Date Updated
3com Inc Affected 2010-06-14 2010-07-27
Actelis Networks Affected 2010-06-29 2010-07-27
Alcatel-Lucent Affected 2010-06-14 2010-07-27
Allied Telesis Affected 2010-06-29 2010-07-27
Alvarion Affected 2010-06-29 2010-07-27
amx Affected 2010-06-29 2010-07-27
Aperto Networks Affected 2010-06-29 2010-07-27
Apple Inc. Affected 2010-06-14 2010-07-27
ARRIS Affected 2010-06-18 2010-07-27
Avaya, Inc. Affected 2010-06-14 2010-07-27
Broadcom Affected 2010-06-14 2010-07-27
Brocade Unknown 2010-08-03 2010-08-03
Canon Affected 2010-06-18 2010-07-27
Ceragon Networks Inc Affected 2010-06-29 2010-07-27
Cisco Systems, Inc. Affected 2010-06-14 2010-06-23
D-Link Systems, Inc. Affected 2010-06-14 2010-07-27
Dell Computer Corporation, Inc. Affected 2010-06-14 2010-07-27
Digicom Affected 2010-06-29 2010-07-27
DrayTek Corporation Affected 2010-06-29 2010-07-27
EMC Corporation Affected 2010-06-14 2010-07-27
Enablence Affected 2010-06-29 2010-07-27
Enterasys Networks Affected 2010-06-18 2010-07-27
Epson America, Inc. Affected 2010-06-18 2010-07-27
Ericsson Affected 2010-06-14 2010-07-27
Fluke Networks Affected 2010-06-14 2010-07-27
Foundry Networks, Inc. Affected 2010-06-14 2010-07-27
Gilat Network Systems Affected 2010-06-29 2010-07-27
Guangzhou Gaoke Communications Affected 2010-06-29 2010-07-27
Hewlett-Packard Company Affected 2010-06-14 2010-07-27
Huawei Technoligies Affected 2010-06-18 2010-07-27
Intel Corporation Unknown 2010-07-02 2010-07-27
IWATSU Voice Networks Affected 2010-06-29 2010-07-27
Keda Communications Affected 2010-06-29 2010-07-27
Knovative Inc Affected 2010-06-29 2010-07-27
Lenovo Affected 2010-06-14 2010-07-27
Lutron Electronics Affected 2010-06-29 2010-07-27
Maipu Communication Technology Affected 2010-06-29 2010-07-27
Mitel Networks, Inc. Affected 2010-06-14 2010-07-27
Motorola, Inc. Affected 2010-06-14 2010-07-27
Netgear, Inc. Affected 2010-06-18 2010-07-27
Nokia Affected 2010-06-18 2010-07-27
Nortel Networks, Inc. Affected 2010-06-14 2010-07-27
Polycom Affected 2010-06-14 2010-07-27
Proxim, Inc. Affected 2010-06-14 2010-07-27
Rad Vision, Inc. Affected 2010-06-14 2010-07-27
Ricoh Americas Corporation Unknown 2010-08-03 2010-08-03
Ricoh Corporation Affected 2010-06-14 2010-07-27
Rockwell Automation Affected 2010-06-15 2010-07-30
Shoretel Communications, Inc. Affected 2010-06-14 2010-07-27
Siemens Affected 2010-06-14 2010-07-27
SMC Networks, Inc. Affected 2010-06-18 2010-07-27
TRENDnet Affected 2010-06-14 2010-07-27
Tut Systems, Inc. Affected 2010-06-18 2010-07-27
Wind River Systems, Inc. Affected 2010-06-14 2010-08-02
Xerox Affected 2010-06-14 2010-07-27
References
http://www.cisco.com/warp/public/707/cisco-sa-20051116-7920.shtml
http://seclists.org/vuln-dev/2002/May/179
http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html
http://www.us-cert.gov/control_systems/pdf/ICSA-10-214-01_VxWorks_Vulnerabilities.pdf
Credit
Thanks to HD Moore for reporting a wider scope with additional
research related to this vulnerability. Earlier public reports came
from Bennett Todd and Shawn Merdinger.
This document was written by Jared Allar.
Other Information
Date Public: 2010-08-02
Date First Published: 2010-08-02
Date Last Updated: 2010-08-03
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric: 14.04
Document Revision: 46
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFMW44G/iFOrG6YcBERAp5MAKCxYCp0PPDeA5naYqy3PNnYglDcVgCgnPwU
AiZpaHqeOQAj1jT7PpCKRtI=
=hI26
-----END PGP SIGNATURE-----