Show vulnerabilities with patch / with exploit
30 July 2019

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA


Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Almost a dozen dangerous vulnerabilities have been discovered in the VxWorks real-time operating system (RTOS) used by over 2 billion devices ranging from firewalls, routers and printers to critical industrial equipment, medical and enterprise devices. Dubbed “URGENT/11,” the flaws affect VxWorks’ TCP/IP stack (IPnet), impacting all versions since version 6.5 meaning they have been present in the operating system over the last 13 years. It is worth noting that the URGENT/11 vulnerabilities do not affect other versions of the product designed for safety certification namely VxWorks 653 and VxWorks Cert Edition.

Detailed vulnerabilities description is available here: https://www.cybersecurity-help.cz/vdb/SB2019073103

URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions. Also, the flaws can be used to propagate malware into and within networks in a similar way to the EternalBlue vulnerability used in WannaCry ransomware attacks.

Out of the 11 vulnerabilities 6 classified as critical and allow Remote Code Execution (RCE) while other 5 bugs are denial of service, information leaks or logical flaws.

The six critical vulnerabilities that can lead to remote code execution are:

1. CVE-2019-12256 (stack overflow in the parsing of IPv4 options) – the flaw that can be exploited by sending a specially crafted IP packet to target device. It affects devices running VxWorks v6.9.4 or above with a network connection. The exploitation process doesn’t require any specific application or configuration to be running on the device.

2. CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, and CVE-2019-12263 - memory corruption vulnerabilities stemming from erroneous handling of TCP’s Urgent Pointer field. The bugs can be triggered by either directly connecting to an open TCP port on the target device, or by hijacking an outbound TCP connection originating from the target device.

The four variants of this type of attack affecting different VxWorks versions:

  • TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255) affects VxWorks versions 6.5 to 6.9.3.

  • TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260) affects VxWorks versions 6.9.4 and above.

  • TCP Urgent Pointer state confusion due to race condition (CVE-2019-12263) affects VxWorks versions 6.6 and above.

  • TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261) affect VxWorks versions 6.7 and above

.3. CVE-2019-12257 - a heap overflow vulnerability triggered when a vulnerable device parses a specially crafted DHCP response packets. The bug resides in VxWorks versions from 6.5 to 6.9.3.

Other 5 vulnerabilities are less dangerous flaws that can lead to denial-of-service, logical errors, or information leaks:

1. TCP connection DoS via malformed TCP options (CVE-2019-12258)

2. Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)

3. Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)

4. DoS via NULL dereference in IGMP parsing (CVE-2019-12259)

5. IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)

Wind River Systems, the maintainer of VxWorks, has released patches to address all of the above mentioned vulnerabilities.

Back to the list

Latest Posts

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

The ComRAT v4 malware includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
26 May 2020
25 million Mathway user records leak online

25 million Mathway user records leak online

Since the start of this month, ShinyHunters has been offering access to databases containing millions user records obtained from hacks of various companies.
26 May 2020
Hackers put up for sale SQL databases stolen from online shops

Hackers put up for sale SQL databases stolen from online shops

More than half of hacked databases are from online shops in Germany, others are from Brazil, the U.S., Italy, India, Spain, and Belarus.
26 May 2020
Featured vulnerabilities
Stored cross-site scripting in Composr CMS
Low Not Patched | 26 May, 2020
Denial of service in GoldWave
Medium Not Patched | 26 May, 2020
OS Command Injection in Online Discussion Forum Site
Medium Not Patched | 26 May, 2020