CNNVD Report on Multiple Remote Code Execution Vulnerabilities in VxWorks

Recently, VxWorks officially released multiple security vulnerability announcements, including the VxWorks buffer overflow vulnerability (CNNVD-201907-1499, CVE-2019-12256), VxWorks security vulnerabilities (CNNVD-201907-1497, CVE-2019-12255), and several other vulnerabilities. VxWorks 7, VxWorks 6.5-6.9, and VxWorks versions using the Interpeak standalone network stack are all affected by these vulnerabilities. Attackers who successfully exploit these vulnerabilities can perform remote code execution without user interaction or authentication, ultimately gaining full control of the affected devices. Currently, VxWorks has released patches for these vulnerabilities, and users are advised to promptly verify if they are affected and take necessary remediation measures.

1. Vulnerability Introduction

VxWorks is a real-time operating system deployed in embedded systems, designed and developed by Wind River Systems, Inc. (WRS) in 1983. VxWorks is used in over 2 billion devices, including critical infrastructure, networking equipment, medical devices, industrial systems, and even spacecraft. The system has a wide range of applications from PLCs to MRI machines, firewalls, printers, and even aircraft and trains.

1. VxWorks Buffer Overflow Vulnerability (CNNVD-201907-1499, CVE-2019-12256)

When an attacker sends a malformed IP packet containing multiple Source Record Route (SRR) options to a VxWorks device affected by this vulnerability, the target device will generate an ICMP error packet in response and, without security validation, copy the attacker’s malformed IP packet into the IP options of the response packet, ultimately leading to a stack overflow.

2. VxWorks Security Vulnerability (CNNVD-201907-1497, CVE-2019-12255) (CNNVD-201907-1496, CVE-2019-12260) (CNNVD-201907-1494, CVE-2019-12261) (CNNVD-201907-1493, CVE-2019-12263) TCP has a mechanism for transmitting out-of-band data known as “urgent data.” By exploiting this mechanism, an attacker can cause an underflow in the length variable of the incoming recv() system call, leading to a buffer overflow in the incoming recv() system call that is controllable by the attacker, ultimately resulting in remote code execution.3. VxWorks DHCP Client Heap Overflow Vulnerability (CNNVD-201907-1498, CVE-2019-12257)

The VxWorks DHCP client has a heap overflow vulnerability when parsing DHCP Offer and ACK packets returned by the DHCP server. When an attacker is on the same network as the target device and the target device sends a DHCP Discovery packet, the attacker can trigger this heap overflow vulnerability by sending a carefully crafted DHCP Offer packet to the target device. The attacker can execute arbitrary code on the target device through this vulnerability.

2. Impact and Risks

Attackers who successfully exploit the above vulnerabilities can perform remote code execution without user interaction or authentication, ultimately gaining full control of the affected devices. VxWorks 7, VxWorks 6.5-6.9, and VxWorks versions using the Interpeak standalone network stack are all affected by these vulnerabilities. The specifics are as follows:

Vulnerability ID

Impact Scope

1

VxWorks Security Vulnerability (CNNVD-201907-1497, CVE-2019-12255) (CNNVD-201907-1496, CVE-2019-12260) (CNNVD-201907-1494, CVE-2019-12261) (CNNVD-201907-1493, CVE-2019-12263)

VxWorks 6.6, VxWorks 6.7, VxWorks 6.8, VxWorks 6.9, VxWorks 7

2

VxWorks Buffer Overflow Vulnerability (CNNVD-201907-1499, CVE-2019-12256)

VxWorks 6.9, VxWorks 7

3

VxWorks DHCP Client Heap Overflow Vulnerability (CNNVD-201907-1498, CVE-2019-12257)

VxWorks 6.6, VxWorks 6.7, VxWorks 6.8, VxWorks 6.9

3. Remediation Recommendations

Currently, VxWorks has released patches for these vulnerabilities, and users are advised to promptly verify if they are affected and take necessary remediation measures. The official link is as follows:

https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/

This report is supported by the technical support units of CNNVD—Zhidao Chuangyu 404 Laboratory and Qi An Xin Technology Group Co., Ltd.

CNNVD will continue to monitor the situation regarding the above vulnerabilities and release relevant information in a timely manner. If needed, please contact CNNVD.

Contact: [email protected]

Leave a Comment