Stack-based buffer overflow in VxWorks - CVE-2019-12256
Published: July 31, 2019
Vulnerability identifier: #VU19578
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-12256
CWE-ID: CWE-121
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Wind River Systems, Inc.
Affected software:
VxWorks
VxWorks
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing IPv4 options. A remote unauthenticated attacker can send specially crafted network traffic to the affected system, trigger stack-based buffer overflow and execute arbitrary code on the target system or crash the tNet0 task.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2019-12256
Install updates from vendor's website.
The vulnerability was fixed in
VxWorks 6.9: version 6.9.4.12
VxWorks 7: versions 2.1.0.0 and 1.4.3.1