Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0224 Wind River VxWorks IPnet TCP/IP Stack Vulnerabilities 30 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VxWorks Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-12265 CVE-2019-12264 CVE-2019-12263 CVE-2019-12262 CVE-2019-12261 CVE-2019-12260 CVE-2019-12259 CVE-2019-12258 CVE-2019-12257 CVE-2019-12256 CVE-2019-12255 OVERVIEW Multiple vulnerabilities have been discovered in the Wind River VxWorks platform. [1] [2] The Canadian Center for Cyber Security provides the following information about Wind River VxWorks: "Wind River VxWorks Platform is a real-time operating system widely used in ICS-related devices and deployed across several sectors, including Communications, Critical Manufacturing, Energy, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems, and others. Multiple vulnerabilities exist in the VxWorks default TCP/IP Stack (called IPnet). These vulnerabilities are present in all recent versions of non-certified VxWorks. Some of these vulnerabilities can lead to remote code execution, denial of service and information leaks." [1] AFFECTED PRODUCTS The Canadian Cyber Centre provides the following information regarding affected products: " Devices using the following VxWorks versions that use the TCP/IP stack may be affected by one or more of these CVEs: All currently-supported versions of VxWorks (6.9.4.11, Vx7 SR540, Vx7 SR610). Previous versions of VxWorks from 6.5 onwards. All versions of the discontinued product Advanced Networking Technology (ANT). IPnet used as a standalone TCP/IP network stack (prior to 2006). The VxWorks bootrom network stack. WindRiver VxWorks products not affected: VxWorks 5.3 through 6.4 inclusive. All VxWorks Cert versions. VxWorks 653 versions 2.x and earlier. VxWorks 653 MCE 3.x CertEdition and later. VxWorks 653 MCE 3.x may be affected." [1] IMPACT The Canadian Center for Cyber Security has posted the following information regarding the vulnerabilities: "The following vulnerabilities exist in the VxWorks TCP/IP Stack: CVE-2019-12255 - TCP Urgent Pointer = 0 leads to integer underflow. CVE-2019-12256 - Stack overflow in the parsing of IPv4 packets’ IP options. CVE-2019-12257 - Heap overflow in DHCP Offer/Ack parsing inside ipdhcpc. CVE-2019-12258 - DoS of TCP connection via malformed TCP options. CVE-2019-12259 - DoS via NULL dereference in IGMP parsing. CVE-2019-12260 - TCP Urgent Pointer state confusion caused by malformed TCP AO option. CVE-2019-12261 - TCP Urgent Pointer state confusion during connect() to a remote host. CVE-2019-12262 - Handling of unsolicited Reverse ARP replies (logic flaw). CVE-2019-12263 - TCP Urgent Pointer state confusion due to a race condition. CVE-2019-12264 - Logic flaw in IPv4 assignment by ipdhcpc DHCP client. CVE-2019-12265 - IGMP information leak via IGMPv3 specific membership report. " [1] MITIGATION The Canadian Cyber Centre provides the following advice for affected customers: "SUGGESTED ACTION Wind River has released a new version of the VxWorks real-time operating system (VxWorks 7 SR620) which includes patched code to address these vulnerabilities. If possible, upgrade to the latest version of VxWorks. Effectively segment networks and implement demilitarized zones (DMZs) with properly configured firewalls to selectively control and monitor traffic passed between zones. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. " [1] Wind River provides the following information: "The following versions of VxWorks using the IPnet stack are impacted (not all vulnerabilities apply to all products): VxWorks 7 (SR540 and SR610) VxWorks 6.5-6.9 Versions of VxWorks using the Interpeak standalone network stack Note: The latest release of VxWorks 7 (SR620) is not affected. Please view the Security Advisory for full details. Wind River customers with additional questions about these vulnerabilities should contact Wind River Customer Support or their local Wind River representative for more information. If you own a device that is impacted by these vulnerabilities, please contact your device manufacturer." [2] REFERENCES [1] Wind River VxWorks IPnet TCP/IP Stack Vulnerabilities https://cyber.gc.ca/en/alerts/wind-river-vxworks-ipnet-tcpip-stack-vulnerabilities [2] SECURITY VULNERABILITY RESPONSE INFORMATION https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/ [3] SECURITY ADVISORY: WIND RIVER TCP/IP STACK (IPNET) VULNERABILITIES https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/security-advisory-ipnet/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXT/kUGaOgq3Tt24GAQjeOxAAtoWC0bd6ytVpCVOUZV3pgEDsjECpI0jo woPoaYDg/pu7/Gl6FgDYSX5RFwsWrD700irSI3rMoU1cH9IzGMRtr8XfOddRlEXq m4FYTrpXqwHCPhSzOSFWRJw5181vfgE/rmt9xzf3juqd1yr43QE132IVIEvi0HHh d778edBfAJCtqIHS8oBMzR4dDQJKhbA7ZmxcauFCiqKd1v+BFZklfSghbpX3Fb4f Horl6gFvw7pQrJTSoNkq65CQiShP4UPY54iQXKvAjUbSj5jCG3mjKOhaPGl4RiKD nxKX5L2fP+uEfWU9K3nOwmnrSjyT9ZQJfouPbuhWVb4Uvk3XbFTYleIvGxyoOu2r /sszvaqG8tM4tBDG67vHHon+0nnqSiOdbOjUnBU+kgsc5mlk4PBshe/xKU14C32P o1gwaf3/odPJXHV7DELxDcM2Av8A3j4BjQgrMi6lPOh1+IqXxogBCiWtXC9J5+Ui CIixrzrJRLgNJbJDch60yTG+g3XW3cYGRmhXsOymHwMOE9K6IcADMKjUD3hGsC0l H11tfEGYihn7YMOGkUePZkfMQ3xSNkY6F5vZK0MPQs0RQWTrYukZ9rCtjjltsHQM B2SE8pmAfCnpfFZxHlKe/KAy3xnH8lift8ao+C4fYX+NcsDdlXjnt8TS5e3gQwnD E53JRuKaYHQ= =Eqxw -----END PGP SIGNATURE-----