ASA-2019-00500 – Wind River VxWorks: TCP Urgent Pointer state confusion caused by malformed TCP AO option

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00500

Identifier(s)

ASA-2019-00500, CVE-2019-12260, V7NET-2425

Title

TCP Urgent Pointer state confusion caused by malformed TCP AO option

Vendor(s)

Wind River

Product(s)

Wind River VxWorks

Affected version(s)

Wind River VxWorks 6 versions 6.9.x.x before 6.9.4.12
Wind River VxWorks 7 versions 2.x.x.x before 2.1.0.0
Wind River VxWorks 7 versions 1.x.x.x before 1.4.3.1

Fixed version(s)

Wind River VxWorks 6 version 6.9.4.12
Wind River VxWorks 7 version 2.1.0.0
Wind River VxWorks 7 version 1.4.3.1

Proof of concept

Unknown

Description

A series of specially crafted TCP-segments where the last step is a TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or recvmsg() socket routines.

A prerequisite is that the system uses TCP sockets and listens to at least one TCP port. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.

Technical details

Unknown

Credits

Ben Seri (Armis Labs)

Reference(s)

SECURITY ADVISORY: WIND RIVER TCP/IP STACK (IPNET) VULNERABILITIES
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/security-advisory-ipnet/security-advisory-ipnet.pdf

SECURITY VULNERABILITY RESPONSE INFORMATION – TCP/IP Network Stack (IPnet, Urgent/11)
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/

CVE: CVE-2019-12260 - Wind River Support Network
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12260

URGENT/11 Information from the Research Team – Armis Labs
https://armis.com/urgent11/

Critical vulnerabilities to remotely compromise VxWorks, the most popular RTOS
https://go.armis.com/hubfs/White-papers/Urgent11%20Technical%20White%20Paper.pdf

Critical Zero Days Remotely Compromise the Most Popular Real-Time OS
https://i.blackhat.com/USA-19/Thursday/us-19-Seri-Critical-Zero-Days-Remotely-Compromise-The-Most-Popular-Real-Time-OS.pdf

CVE-2019-12260
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12260

CVE-2019-12260
https://nvd.nist.gov/vuln/detail/CVE-2019-12260

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.