30 July 2019

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Almost a dozen dangerous vulnerabilities have been discovered in the VxWorks real-time operating system (RTOS) used by over 2 billion devices ranging from firewalls, routers and printers to critical industrial equipment, medical and enterprise devices. Dubbed “URGENT/11,” the flaws affect VxWorks’ TCP/IP stack (IPnet), impacting all versions since version 6.5 meaning they have been present in the operating system over the last 13 years. It is worth noting that the URGENT/11 vulnerabilities do not affect other versions of the product designed for safety certification namely VxWorks 653 and VxWorks Cert Edition.

Detailed vulnerabilities description is available here: https://www.cybersecurity-help.cz/vdb/SB2019073103

URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions. Also, the flaws can be used to propagate malware into and within networks in a similar way to the EternalBlue vulnerability used in WannaCry ransomware attacks.

Out of the 11 vulnerabilities 6 classified as critical and allow Remote Code Execution (RCE) while other 5 bugs are denial of service, information leaks or logical flaws.

The six critical vulnerabilities that can lead to remote code execution are:

1. CVE-2019-12256 (stack overflow in the parsing of IPv4 options) – the flaw that can be exploited by sending a specially crafted IP packet to target device. It affects devices running VxWorks v6.9.4 or above with a network connection. The exploitation process doesn’t require any specific application or configuration to be running on the device.

2. CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, and CVE-2019-12263 - memory corruption vulnerabilities stemming from erroneous handling of TCP’s Urgent Pointer field. The bugs can be triggered by either directly connecting to an open TCP port on the target device, or by hijacking an outbound TCP connection originating from the target device.

The four variants of this type of attack affecting different VxWorks versions:

  • TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255) affects VxWorks versions 6.5 to 6.9.3.

  • TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260) affects VxWorks versions 6.9.4 and above.

  • TCP Urgent Pointer state confusion due to race condition (CVE-2019-12263) affects VxWorks versions 6.6 and above.

  • TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261) affect VxWorks versions 6.7 and above

.3. CVE-2019-12257 - a heap overflow vulnerability triggered when a vulnerable device parses a specially crafted DHCP response packets. The bug resides in VxWorks versions from 6.5 to 6.9.3.

Other 5 vulnerabilities are less dangerous flaws that can lead to denial-of-service, logical errors, or information leaks:

1. TCP connection DoS via malformed TCP options (CVE-2019-12258)

2. Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)

3. Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)

4. DoS via NULL dereference in IGMP parsing (CVE-2019-12259)

5. IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)

Wind River Systems, the maintainer of VxWorks, has released patches to address all of the above mentioned vulnerabilities.

Back to the list

Latest Posts

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

The Iranian state-sponsored hackers Charming Kitten employed new spear-phishing methods in a campaign observed in August and September.
10 October 2019
Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

It is estimated that more than 6,500 sites are affected, that number could be even higher.
10 October 2019
Featured vulnerabilities
Remote code execution in Bento4 media player
High Not Patched | 13 Oct, 2019
Use-after-free in libvips library
Medium Patched | 13 Oct, 2019
Denial of service in MATIO
Low Not Patched | 13 Oct, 2019
Cross-site scripting in Openfire
Low Patched | 12 Oct, 2019