Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

        Wind River Systems VxWorks debug service enabled by default
                               6 August 2010


        AusCERT Security Bulletin Summary

Product:           VxWorks 6.x
                   VxWorks 5.x
Publisher:         US-CERT
Operating System:  VxWorks
Impact/Access:     Root Compromise -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2010-2965  

Original Bulletin: 

Comment: This is not the same vulnerability as described in ESB-2010.0688.
         The vendor states that customers are encouraged to follow the 
         remediation actions outlined in the SOLUTION section of the 
         vulnerability post.

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#362332

Wind River Systems VxWorks debug service enabled by default


   Some products based on VxWorks have the WDB target agent debug service
   enabled by default. This service provides read/write access to the
   device's memory and allows functions to be called.

I. Description

   The VxWorks WDB target agent is a target-resident, run-time facility
   that is required for connecting host tools to a VxWorks target system
   during development. WDB is a selectable component in the VxWorks
   configuration and is enabled by default. The WDB debug agent access is
   not secured and does provide a security hole in a deployed system.

   It is advisable for production systems to reconfigure VxWorks with
   only those components needed for deployed operation and to build it as
   the appropriate type of system image. It is recommended to remove host
   development components such as the WDB target agent and debugging
   components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating
   system components that are not required to support customer
   Consult the VxWorks Kernel Programmer's guide for more information on

   Additional information can be found in ICS-CERT advisory
   ICSA-10-214-01 and on the Metasploit Blog.

II. Impact

   An attacker can use the debug service to fully compromise the device.

III. Solution

   Disable debug agent

   Vendors should remove the WDB target debug agent in their VxWorks
   based products by removing the INCLUDE_WDB & INCLUDE_DEBUG components
   from their VxWorks Image.

   Restrict access

   Appropriate firewall rules should be implemented to restrict access to
   the debug service (17185/udp) to only trusted sources until vendors
   have released patches to disable it.

Vendor Information

   Vendor                          Status   Date Notified Date Updated
   3com Inc                        Affected 2010-06-14    2010-07-27
   Actelis Networks                Affected 2010-06-29    2010-07-27
   Alcatel-Lucent                  Affected 2010-06-14    2010-07-27
   Allied Telesis                  Affected 2010-06-29    2010-07-27
   Alvarion                        Affected 2010-06-29    2010-07-27
   amx                             Affected 2010-06-29    2010-07-27
   Aperto Networks                 Affected 2010-06-29    2010-07-27
   Apple Inc.                      Affected 2010-06-14    2010-07-27
   ARRIS                           Affected 2010-06-18    2010-07-27
   Avaya, Inc.                     Affected 2010-06-14    2010-07-27
   Broadcom                        Affected 2010-06-14    2010-07-27
   Brocade                         Unknown  2010-08-03    2010-08-03
   Canon                           Affected 2010-06-18    2010-07-27
   Ceragon Networks Inc            Affected 2010-06-29    2010-07-27
   Cisco Systems, Inc.             Affected 2010-06-14    2010-06-23
   D-Link Systems, Inc.            Affected 2010-06-14    2010-07-27
   Dell Computer Corporation, Inc. Affected 2010-06-14    2010-07-27
   Digicom                         Affected 2010-06-29    2010-07-27
   DrayTek Corporation             Affected 2010-06-29    2010-07-27
   EMC Corporation                 Affected 2010-06-14    2010-07-27
   Enablence                       Affected 2010-06-29    2010-07-27
   Enterasys Networks              Affected 2010-06-18    2010-07-27
   Epson America, Inc.             Affected 2010-06-18    2010-07-27
   Ericsson                        Affected 2010-06-14    2010-07-27
   Fluke Networks                  Affected 2010-06-14    2010-07-27
   Foundry Networks, Inc.          Affected 2010-06-14    2010-07-27
   Gilat Network Systems           Affected 2010-06-29    2010-07-27
   Guangzhou Gaoke Communications  Affected 2010-06-29    2010-07-27
   Hewlett-Packard Company         Affected 2010-06-14    2010-07-27
   Huawei Technoligies             Affected 2010-06-18    2010-07-27
   Intel Corporation               Unknown  2010-07-02    2010-07-27
   IWATSU Voice Networks           Affected 2010-06-29    2010-07-27
   Keda Communications             Affected 2010-06-29    2010-07-27
   Knovative Inc                   Affected 2010-06-29    2010-07-27
   Lenovo                          Affected 2010-06-14    2010-07-27
   Lutron Electronics              Affected 2010-06-29    2010-07-27
   Maipu Communication Technology  Affected 2010-06-29    2010-07-27
   Mitel Networks, Inc.            Affected 2010-06-14    2010-07-27
   Motorola, Inc.                  Affected 2010-06-14    2010-07-27
   Netgear, Inc.                   Affected 2010-06-18    2010-07-27
   Nokia                           Affected 2010-06-18    2010-07-27
   Nortel Networks, Inc.           Affected 2010-06-14    2010-07-27
   Polycom                         Affected 2010-06-14    2010-07-27
   Proxim, Inc.                    Affected 2010-06-14    2010-07-27
   Rad Vision, Inc.                Affected 2010-06-14    2010-07-27
   Ricoh Americas Corporation      Unknown  2010-08-03    2010-08-03
   Ricoh Corporation               Affected 2010-06-14    2010-07-27
   Rockwell Automation             Affected 2010-06-15    2010-07-30
   Shoretel Communications, Inc.   Affected 2010-06-14    2010-07-27
   Siemens                         Affected 2010-06-14    2010-07-27
   SMC Networks, Inc.              Affected 2010-06-18    2010-07-27
   TRENDnet                        Affected 2010-06-14    2010-07-27
   Tut Systems, Inc.               Affected 2010-06-18    2010-07-27
   Wind River Systems, Inc.        Affected 2010-06-14    2010-08-02
   Xerox                           Affected 2010-06-14    2010-07-27




   Thanks to HD Moore for reporting a wider scope with additional
   research related to this vulnerability. Earlier public reports came
   from Bennett Todd and Shawn Merdinger.

   This document was written by Jared Allar.

Other Information

   Date Public:              2010-08-02
   Date First Published:     2010-08-02
   Date Last Updated:        2010-08-03
   CERT Advisory:           
   US-CERT Technical Alerts:
   Metric:                   14.04
   Document Revision:        46

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: https://www.auscert.org.au/1967