#VU19579 Heap-based buffer overflow in VxWorks - CVE-2019-12257
Published: July 31, 2019
Vulnerability identifier: #VU19579
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-12257
CWE-ID: CWE-122
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
VxWorks
VxWorks
Software vendor:
Wind River Systems, Inc.
Wind River Systems, Inc.
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within DHCP client implementation when processing DHCP packets. A remote attacker with access local network can send specially crafted DHCP packets to the affected system during system booting, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.
Vulnerability was fixed only in VxWorks 6.9 (version 6.9.4).