Multiple vulnerabilities in Wind River VxWorks

Published: 2019-07-31 | Updated: 2019-07-31
Severity High
Patch available YES
Number of vulnerabilities 11
CVE ID CVE-2019-12256
CVE-2019-12257
CVE-2019-12255
CVE-2019-12260
CVE-2019-12261
CVE-2019-12263
CVE-2019-12258
CVE-2019-12264
CVE-2019-12259
CVE-2019-12262
CVE-2019-12265
CWE ID CWE-121
CWE-122
CWE-191
CWE-119
CWE-362
CWE-20
CWE-440
CWE-476
CWE-401
Exploitation vector Network
Public exploit N/A
Vulnerable software VxWorks Subscribe
Vendor Wind River Systems, Inc.

Security Advisory

1) Stack-based buffer overflow

Severity: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12256

CWE-ID: CWE-121 - Stack-based Buffer Overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing IPv4 options. A remote unauthenticated attacker can send specially crafted network traffic to the affected system, trigger stack-based buffer overflow and execute arbitrary code on the target system or crash the tNet0 task.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

The vulnerability was fixed in
VxWorks 6.9: version  6.9.4.12
VxWorks 7: versions 2.1.0.0 and 1.4.3.1

Vulnerable software versions

VxWorks: 6.9, 7

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-19-211-01
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12256
https://support2.windriver.com/index.php?page=security-notices&on=view&id=6652

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Heap-based buffer overflow

Severity: Medium

CVSSv3: 7.7 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12257

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within DHCP client implementation when processing DHCP packets. A remote attacker with access local network can send specially crafted DHCP packets to the affected system during system booting, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerability was fixed only in VxWorks 6.9 (version 6.9.4).

Vulnerable software versions

VxWorks: 6.6, 6.7, 6.8, 6.9

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-19-211-01
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12257
https://support2.windriver.com/index.php?page=security-notices&on=view&id=6652

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Integer underflow

Severity: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12255

CWE-ID: CWE-191 - Integer Underflow (Wrap or Wraparound)

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer underflow when processing TCP packets with URG-flag set. A remote attacker can send a specially crafted TCP request to the affected system, trigger integer underflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

The vulnerability is fixed for VxWorks 6.9 (version 6.9.4)

Vulnerable software versions

VxWorks: 6.6, 6.7, 6.8, 6.9

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-19-211-01
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12255
https://support2.windriver.com/index.php?page=security-notices&on=view&id=6652

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Buffer overflow

Severity: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12260

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing TCP-segments where the last step is a TCP-segment with the URG-flag set due to TCP Urgent Pointer state confusion caused by malformed TCP AO option. A remote attacker can send specially crafted TCP traffic to the affected system, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

The vulnerability is fixed in:
VxWorks 6.9: update to version  6.9.4.12
VxWorks 7: update to versions 2.1.0.0 or 1.4.3.1.

Vulnerable software versions

VxWorks: 6.9, 7

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-19-211-01
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12260
https://support2.windriver.com/index.php?page=security-notices&on=view&id=6652

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Buffer overflow

Severity: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12261

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when sending responses to TCP requests due to TCP Urgent Pointer state confusion during connect() to a remote host. A remote attacker can trigger the system to initiate TCP connection to a malicious host, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

The vulnerability is fixed in:
VxWorks 6.9: update to version  6.9.4.12
VxWorks 7: update to versions 2.1.0.0 or 1.4.3.1.

Vulnerable software versions

VxWorks: 6.7, 6.8, 6.9, 7

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-19-211-01
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12261
https://support2.windriver.com/index.php?page=security-notices&on=view&id=6652

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Race condition

Severity: Low

CVSSv3: 5.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12263

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to a race condition when processing TCP packets. A remote unauthenticated attacker can send malicious sequence of TCP packets within a specific timing, trigger a race condition and perform denial of service attack.

Mitigation

Install updates from vendor's website.

The vulnerability is fixed in:
VxWorks 6.9: update to version  6.9.4.12
VxWorks 7: update to versions 2.1.0.0 or 1.4.3.1.

Vulnerable software versions

VxWorks: 6.6, 6.7, 6.8, 6.9, 7

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-19-211-01
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12263
https://support2.windriver.com/index.php?page=security-notices&on=view&id=6652

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Input validation error

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12258

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation when processing options in TCP packets. A remote attacker can a specially crafted TCP packet with the source and destination TCP-port and IP-addresses of an existing session can reset the TCP session, leading to a DoS attack.

Mitigation

Install updates from vendor's website.

The vulnerability is fixed in:
VxWorks 6.9: update to version  6.9.4.12
VxWorks 7: update to versions 2.1.0.0 or 1.4.3.1.

Vulnerable software versions

VxWorks: 6.6, 6.7, 6.8, 6.9, 7

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-19-211-01
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12258

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Expected behavior violation

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12264

CWE-ID: CWE-440 - Expected Behavior Violation

Description

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to a logical flaw within the ipdhcpc DHCP client when processing broadcasted IP addresses. A remote attacker with control over DHCP server within the local network segment can assign multicast or broadcast addresses to the victim.

Mitigation

Install updates from vendor's website.

The vulnerability is fixed in:
VxWorks 6.9: update to version  6.9.4.12
VxWorks 7: update to versions 2.1.0.0 or 1.4.3.1.

Vulnerable software versions

VxWorks: 6.6, 6.7, 6.8, 6.9, 7

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-19-211-01
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12264

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) NULL pointer dereference

Severity: Low

CVSSv3: 5.7 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12259

CWE-ID: CWE-476 - NULL Pointer Dereference

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when processing IGMP packets. A remote attacker can send specially crafted traffic to the affected system and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

The vulnerability is fixed in:
VxWorks 6.9: update to version  6.9.4.12
VxWorks 7: update to versions 2.1.0.0 or 1.4.3.1.

Vulnerable software versions

VxWorks: 6.6, 6.7, 6.8, 6.9, 7

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-19-211-01
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12259

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Input validation error

Severity: Low

CVSSv3: 5 [CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12262

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing unsolicited Reverse ARP replies. A remote attacker can send specially crafted traffic and perform denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

The vulnerability is fixed in:
VxWorks 6.9: update to version  6.9.4.12
VxWorks 7: update to versions 2.1.0.0 or 1.4.3.1.

Vulnerable software versions

VxWorks: 6.6, 6.7, 6.8, 6.9, 7

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-19-211-01
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12262

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Memory leak

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12265

CWE-ID: CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due memory leak when processing IGMPv3 packets. A remote attacker can create a fragmented IGMPv3 query report and read memory contents in the response message.

Mitigation

Install updates from vendor's website.

The vulnerability is fixed in VxWorks 6.9 and 7.

Vulnerable software versions

VxWorks: 6.6, 6.7, 6.8, 6.9, 7

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-19-211-01
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12265

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.