Allele Security Alert
ASA-2019-00502, CVE-2019-12262, V7NET-2427
Handling of unsolicited Reverse ARP replies
Wind River VxWorks
Wind River VxWorks 6 version 6.6
Wind River VxWorks 6 version 6.7
Wind River VxWorks 6 version 6.8
Wind River VxWorks 6 version 6.9 before 126.96.36.199
Wind River VxWorks 7 versions 2.x.x.x before 188.8.131.52
Wind River VxWorks 7 versions 1.x.x.x before 184.108.40.206
Wind River VxWorks 6 version 220.127.116.11
Wind River VxWorks 7 version 18.104.22.168
Wind River VxWorks 7 version 22.214.171.124
Proof of concept
The RARP reception handler verifies that the packet is well formed, but fails to verify that the node has an ongoing RARP-transaction matching the received packet.
An attacker residing on the LAN can send reverse-ARP responses to the victim system to assign unicast IPv4 addresses to the target. The action will not cause any direct harm more than increased usage of RAM. However, the vulnerability may indirectly cause a network connectivity issue for the system on the LAN if the assigned IP addresses collide with other machines.
Ben Seri (Armis Labs)
SECURITY ADVISORY: WIND RIVER TCP/IP STACK (IPNET) VULNERABILITIES
SECURITY VULNERABILITY RESPONSE INFORMATION – TCP/IP Network Stack (IPnet, Urgent/11)
URGENT/11 Information from the Research Team – Armis Labs
Critical vulnerabilities to remotely compromise VxWorks, the most popular RTOS
Critical Zero Days Remotely Compromise the Most Popular Real-Time OS
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 12, 2019