Allele Security Alert
ASA-2019-00501, CVE-2019-12261, V7NET-2425
TCP Urgent Pointer state confusion during connect() to a remote host
Wind River VxWorks
Wind River VxWorks 6 version 6.7
Wind River VxWorks 6 version 6.8
Wind River VxWorks 6 version 6.9 before 18.104.22.168
Wind River VxWorks 7 versions 2.x.x.x before 22.214.171.124
Wind River VxWorks 7 versions 1.x.x.x before 126.96.36.199
Wind River VxWorks 6 version 188.8.131.52
Wind River VxWorks 7 version 184.108.40.206
Wind River VxWorks 7 version 220.127.116.11
Proof of concept
A specially crafted response to the connection attempt, where also the FIN- and URG-flags are set is sent as a response. This may put the victim into an inconsistent state, which make it possible to send yet another segment that trigger a buffer overflow.
A prerequisite is that the system uses TCP sockets and the attacker can trigger the target to establish a new TCP connection that the attacker highjacks the traffic of. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.
Ben Seri (Armis Labs)
SECURITY ADVISORY: WIND RIVER TCP/IP STACK (IPNET) VULNERABILITIES
SECURITY VULNERABILITY RESPONSE INFORMATION – TCP/IP Network Stack (IPnet, Urgent/11)
URGENT/11 Information from the Research Team – Armis Labs
Critical vulnerabilities to remotely compromise VxWorks, the most popular RTOS
Critical Zero Days Remotely Compromise the Most Popular Real-Time OS
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 12, 2019