Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0696 Wind River Systems VxWorks debug service enabled by default 6 August 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VxWorks 6.x VxWorks 5.x Publisher: US-CERT Operating System: VxWorks Impact/Access: Root Compromise -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2010-2965 Original Bulletin: http://www.kb.cert.org/vuls/id/362332 Comment: This is not the same vulnerability as described in ESB-2010.0688. The vendor states that customers are encouraged to follow the remediation actions outlined in the SOLUTION section of the vulnerability post. - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#362332 Wind River Systems VxWorks debug service enabled by default Overview Some products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device's memory and allows functions to be called. I. Description The VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system. It is advisable for production systems to reconfigure VxWorks with only those components needed for deployed operation and to build it as the appropriate type of system image. It is recommended to remove host development components such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating system components that are not required to support customer applications. Consult the VxWorks Kernel Programmer's guide for more information on WDB. Additional information can be found in ICS-CERT advisory ICSA-10-214-01 and on the Metasploit Blog. II. Impact An attacker can use the debug service to fully compromise the device. III. Solution Disable debug agent Vendors should remove the WDB target debug agent in their VxWorks based products by removing the INCLUDE_WDB & INCLUDE_DEBUG components from their VxWorks Image. Restrict access Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp) to only trusted sources until vendors have released patches to disable it. Vendor Information Vendor Status Date Notified Date Updated 3com Inc Affected 2010-06-14 2010-07-27 Actelis Networks Affected 2010-06-29 2010-07-27 Alcatel-Lucent Affected 2010-06-14 2010-07-27 Allied Telesis Affected 2010-06-29 2010-07-27 Alvarion Affected 2010-06-29 2010-07-27 amx Affected 2010-06-29 2010-07-27 Aperto Networks Affected 2010-06-29 2010-07-27 Apple Inc. Affected 2010-06-14 2010-07-27 ARRIS Affected 2010-06-18 2010-07-27 Avaya, Inc. Affected 2010-06-14 2010-07-27 Broadcom Affected 2010-06-14 2010-07-27 Brocade Unknown 2010-08-03 2010-08-03 Canon Affected 2010-06-18 2010-07-27 Ceragon Networks Inc Affected 2010-06-29 2010-07-27 Cisco Systems, Inc. Affected 2010-06-14 2010-06-23 D-Link Systems, Inc. Affected 2010-06-14 2010-07-27 Dell Computer Corporation, Inc. Affected 2010-06-14 2010-07-27 Digicom Affected 2010-06-29 2010-07-27 DrayTek Corporation Affected 2010-06-29 2010-07-27 EMC Corporation Affected 2010-06-14 2010-07-27 Enablence Affected 2010-06-29 2010-07-27 Enterasys Networks Affected 2010-06-18 2010-07-27 Epson America, Inc. Affected 2010-06-18 2010-07-27 Ericsson Affected 2010-06-14 2010-07-27 Fluke Networks Affected 2010-06-14 2010-07-27 Foundry Networks, Inc. Affected 2010-06-14 2010-07-27 Gilat Network Systems Affected 2010-06-29 2010-07-27 Guangzhou Gaoke Communications Affected 2010-06-29 2010-07-27 Hewlett-Packard Company Affected 2010-06-14 2010-07-27 Huawei Technoligies Affected 2010-06-18 2010-07-27 Intel Corporation Unknown 2010-07-02 2010-07-27 IWATSU Voice Networks Affected 2010-06-29 2010-07-27 Keda Communications Affected 2010-06-29 2010-07-27 Knovative Inc Affected 2010-06-29 2010-07-27 Lenovo Affected 2010-06-14 2010-07-27 Lutron Electronics Affected 2010-06-29 2010-07-27 Maipu Communication Technology Affected 2010-06-29 2010-07-27 Mitel Networks, Inc. Affected 2010-06-14 2010-07-27 Motorola, Inc. Affected 2010-06-14 2010-07-27 Netgear, Inc. Affected 2010-06-18 2010-07-27 Nokia Affected 2010-06-18 2010-07-27 Nortel Networks, Inc. Affected 2010-06-14 2010-07-27 Polycom Affected 2010-06-14 2010-07-27 Proxim, Inc. Affected 2010-06-14 2010-07-27 Rad Vision, Inc. Affected 2010-06-14 2010-07-27 Ricoh Americas Corporation Unknown 2010-08-03 2010-08-03 Ricoh Corporation Affected 2010-06-14 2010-07-27 Rockwell Automation Affected 2010-06-15 2010-07-30 Shoretel Communications, Inc. Affected 2010-06-14 2010-07-27 Siemens Affected 2010-06-14 2010-07-27 SMC Networks, Inc. Affected 2010-06-18 2010-07-27 TRENDnet Affected 2010-06-14 2010-07-27 Tut Systems, Inc. Affected 2010-06-18 2010-07-27 Wind River Systems, Inc. Affected 2010-06-14 2010-08-02 Xerox Affected 2010-06-14 2010-07-27 References http://www.cisco.com/warp/public/707/cisco-sa-20051116-7920.shtml http://seclists.org/vuln-dev/2002/May/179 http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html http://www.us-cert.gov/control_systems/pdf/ICSA-10-214-01_VxWorks_Vulnerabilities.pdf Credit Thanks to HD Moore for reporting a wider scope with additional research related to this vulnerability. Earlier public reports came from Bennett Todd and Shawn Merdinger. This document was written by Jared Allar. Other Information Date Public: 2010-08-02 Date First Published: 2010-08-02 Date Last Updated: 2010-08-03 CERT Advisory: CVE-ID(s): NVD-ID(s): US-CERT Technical Alerts: Metric: 14.04 Document Revision: 46 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://www.auscert.org.au/1967 iD8DBQFMW44G/iFOrG6YcBERAp5MAKCxYCp0PPDeA5naYqy3PNnYglDcVgCgnPwU AiZpaHqeOQAj1jT7PpCKRtI= =hI26 -----END PGP SIGNATURE-----