Multiple Vulnerabilities in Wind River VxWorks Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2019-075

DATE(S) ISSUED:

07/31/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Wind River’s VxWorks Real Time Operating System (RTOS), the most severe of which could allow for remote code execution. VxWorks RTOS is used by various devices across different industry sectors. These devices include but are not limited to SCADA systems, industrial controllers, patient monitoring, MRI machines, firewalls, VoIP phones and printers. Successful exploitation of the most severe of these vulnerabilities could result in a remote attacker obtaining access to a device running a vulnerable OS version.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild, but non-public proof of concept code exists.

SYSTEMS AFFECTED:

• VxWorks 7 (SR540 and SR610)
• VxWorks 6.5-6.9
• Versions of VxWorks using the Interpeak standalone network stack

RISK:

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Wind River’s VxWorks Real Time Operating System, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:

• One stack overflow vulnerability exists when VxWorks v6.9.4 and above improperly parses IPv4 options (CVE-2019-12256)
• Four memory corruption vulnerabilities exist in VxWorks due to improper handling of TCP’s Urgent Point field (CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263)
• One heap overflow vulnerability exists when VxWorks’ DHCP client improperly parses DHCP Offer/ACK packets. (CVE-2019-12257)
• One denial of service vulnerability exist when VxWorks v6.5 and above improperly parses malformed TCP options (CVE-2019-12258)
• One denial of service vulnerability exists when VxWorks v6.5 and above improperly parses Reverse ARP reply packets (CVE-2019-12262)
• One denial of service vulnerability exists in VxWorks v6.5 and above’s built-in DHCP client accepting any IP address assignment (CVE-2019-12264)
• One denial of service vulnerability exists when VxWorks v6.5 and above receives a specially crafted DHCP response packet to force assignment of a multicast address. This can be followed up by an IGMPv3 membership query packet that results in NULL dereference in network stack (CVE-2019-12259)
• One information disclosure vulnerability exists when VxWorks v6.9.3 and above parses an IGMPv3 membership query report that is fragmented over multiple IP fragments (CVE-2019-12265)

Successful exploitation of the most severe of these vulnerabilities could result in a remote attacker obtaining access to a device running a vulnerable OS version.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate patches or appropriate mitigations provided by Wind River or product vendor to vulnerable systems immediately after appropriate testing
• Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
• Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
• Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources
• Apply the Principle of Least Privilege to all systems and services.

REFERENCES: