ASA-2019-00504 – Wind River VxWorks: Logical flaw in IPv4 assignment by the ipdhcpc DHCP client


Allele Security Alert

ASA-2019-00504

Identifier(s)

ASA-2019-00504, CVE-2019-12264, V7NET-2428

Title

Logical flaw in IPv4 assignment by the ipdhcpc DHCP client

Vendor(s)

Wind River

Product(s)

Wind River VxWorks

Affected version(s)

Wind River VxWorks 6 version 6.6
Wind River VxWorks 6 version 6.7
Wind River VxWorks 6 version 6.8
Wind River VxWorks 6 versions 6.9.x.x before 6.9.4.12
Wind River VxWorks 7 versions 2.x.x.x before 2.1.0.0
Wind River VxWorks 7 versions 1.x.x.x before 1.4.3.1

Fixed version(s)

Wind River VxWorks 6 version 6.9.4.12
Wind River VxWorks 7 version 2.1.0.0
Wind River VxWorks 7 version 1.4.3.1

Proof of concept

Unknown

Description

The VxWorks DHCP client fails to properly validate that the offered IP-address in a DHCP renewal or offer response contains a valid unicast address. An attacker may assign multicast or broadcast addresses to the victim.

An attacker residing on the LAN may choose to highjack a DHCP-client session that requests an IPv4 address. The attacker can send a multicast IP address in the DHCP offer/ack message, which the victim system then incorrectly assigns. This vulnerability is not very useful in isolation, but can be combined with ASA-2019-00499 to create a denial-ofservice attack.

Technical details

Unknown

Credits

Ben Seri (Armis Labs)

Reference(s)

SECURITY ADVISORY: WIND RIVER TCP/IP STACK (IPNET) VULNERABILITIES
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/security-advisory-ipnet/security-advisory-ipnet.pdf

SECURITY VULNERABILITY RESPONSE INFORMATION – TCP/IP Network Stack (IPnet, Urgent/11)
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/

CVE: CVE-2019-12264 - Wind River Support Network
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12264

URGENT/11 Information from the Research Team – Armis Labs
https://armis.com/urgent11/

Critical vulnerabilities to remotely compromise VxWorks, the most popular RTOS
https://go.armis.com/hubfs/White-papers/Urgent11%20Technical%20White%20Paper.pdf

Critical Zero Days Remotely Compromise the Most Popular Real-Time OS
https://i.blackhat.com/USA-19/Thursday/us-19-Seri-Critical-Zero-Days-Remotely-Compromise-The-Most-Popular-Real-Time-OS.pdf

ASA-2019-00499 – Wind River VxWorks: Denial of Service (DoS) via NULL dereference in IGMP parsing
https://allelesecurity.com/asa-2019-00499/

CVE-2019-12264
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12264

CVE-2019-12264
https://nvd.nist.gov/vuln/detail/CVE-2019-12264

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 15, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.