ASA-2019-00501 – Wind River VxWorks: TCP Urgent Pointer state confusion during connect() to a remote host

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00501

Identifier(s)

ASA-2019-00501, CVE-2019-12261, V7NET-2425

Title

TCP Urgent Pointer state confusion during connect() to a remote host

Vendor(s)

Wind River

Product(s)

Wind River VxWorks

Affected version(s)

Wind River VxWorks 6 version 6.7
Wind River VxWorks 6 version 6.8
Wind River VxWorks 6 version 6.9 before 6.9.4.12
Wind River VxWorks 7 versions 2.x.x.x before 2.1.0.0
Wind River VxWorks 7 versions 1.x.x.x before 1.4.3.1

Fixed version(s)

Wind River VxWorks 6 version 6.9.4.12
Wind River VxWorks 7 version 2.1.0.0
Wind River VxWorks 7 version 1.4.3.1

Proof of concept

Unknown

Description

A specially crafted response to the connection attempt, where also the FIN- and URG-flags are set is sent as a response. This may put the victim into an inconsistent state, which make it possible to send yet another segment that trigger a buffer overflow.

A prerequisite is that the system uses TCP sockets and the attacker can trigger the target to establish a new TCP connection that the attacker highjacks the traffic of. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.

Technical details

Unknown

Credits

Ben Seri (Armis Labs)

Reference(s)

SECURITY ADVISORY: WIND RIVER TCP/IP STACK (IPNET) VULNERABILITIES
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/security-advisory-ipnet/security-advisory-ipnet.pdf

SECURITY VULNERABILITY RESPONSE INFORMATION – TCP/IP Network Stack (IPnet, Urgent/11)
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/

CVE: CVE-2019-12261 - Wind River Support Network
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12261

URGENT/11 Information from the Research Team – Armis Labs
https://armis.com/urgent11/

Critical vulnerabilities to remotely compromise VxWorks, the most popular RTOS
https://go.armis.com/hubfs/White-papers/Urgent11%20Technical%20White%20Paper.pdf

Critical Zero Days Remotely Compromise the Most Popular Real-Time OS
https://i.blackhat.com/USA-19/Thursday/us-19-Seri-Critical-Zero-Days-Remotely-Compromise-The-Most-Popular-Real-Time-OS.pdf

CVE-2019-12261
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12261

CVE-2019-12261
https://nvd.nist.gov/vuln/detail/CVE-2019-12261

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.