Almost a dozen dangerous vulnerabilities have been discovered in the VxWorks real-time operating system (RTOS) used by over 2 billion devices ranging from firewalls, routers and printers to critical industrial equipment, medical and enterprise devices. Dubbed “URGENT/11,” the flaws affect VxWorks’ TCP/IP stack (IPnet), impacting all versions since version 6.5 meaning they have been present in the operating system over the last 13 years. It is worth noting that the URGENT/11 vulnerabilities do not affect other versions of the product designed for safety certification namely VxWorks 653 and VxWorks Cert Edition.
Detailed vulnerabilities description is available here: https://www.cybersecurity-help.cz/vdb/SB2019073103
URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions. Also, the flaws can be used to propagate malware into and within networks in a similar way to the EternalBlue vulnerability used in WannaCry ransomware attacks.
Out of the 11 vulnerabilities 6 classified as critical and allow Remote Code Execution (RCE) while other 5 bugs are denial of service, information leaks or logical flaws.
The six critical vulnerabilities that can lead to remote code execution are:
1. CVE-2019-12256 (stack overflow in the parsing of IPv4 options) – the flaw that can be exploited by sending a specially crafted IP packet to target device. It affects devices running VxWorks v6.9.4 or above with a network connection. The exploitation process doesn’t require any specific application or configuration to be running on the device.
2. CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, and CVE-2019-12263 - memory corruption vulnerabilities stemming from erroneous handling of TCP’s Urgent Pointer field. The bugs can be triggered by either directly connecting to an open TCP port on the target device, or by hijacking an outbound TCP connection originating from the target device.
The four variants of this type of attack affecting different VxWorks versions:
TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255) affects VxWorks versions 6.5 to 6.9.3.
TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260) affects VxWorks versions 6.9.4 and above.
TCP Urgent Pointer state confusion due to race condition (CVE-2019-12263) affects VxWorks versions 6.6 and above.
TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261) affect VxWorks versions 6.7 and above
.3. CVE-2019-12257 - a heap overflow vulnerability triggered when a vulnerable device parses a specially crafted DHCP response packets. The bug resides in VxWorks versions from 6.5 to 6.9.3.
Other 5 vulnerabilities are less dangerous flaws that can lead to denial-of-service, logical errors, or information leaks:
1. TCP connection DoS via malformed TCP options (CVE-2019-12258)
2. Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)
3. Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)
4. DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
5. IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)
Wind River Systems, the maintainer of VxWorks, has released patches to address all of the above mentioned vulnerabilities.