Allele Security Alert
ASA-2019-00505, CVE-2019-12265, V7NET-2428
IGMP Information leak via IGMPv3 specific membership report
Wind River VxWorks
Wind River VxWorks 6 version 6.6
Wind River VxWorks 6 version 6.7
Wind River VxWorks 6 version 6.8
Wind River VxWorks 6 version 6.9
Wind River VxWorks 7
Proof of concept
An attacker can create specially crafted and fragmented IGMPv3 query report, which may result in the victim transmitting undefined buffer content.
The IGMPv3 reception handler does not expect packets to be spread across multiple IP fragments. A prerequisite for exploiting this vulnerability is that the victim system has at least one IPv4 multicast address assigned. That prerequisite is almost always fulfilled, as all multicast-capable hosts are required to listen to the all-multicast-hosts address, 220.127.116.11. Attacks against link local multicast addresses, such as 18.104.22.168, allow an attacker on the LAN to make the victim system transmit data to the network that has not been properly set. Specifically, the data transmitted from the network might be information from packets previously received or sent by the network stack.
Ben Seri (Armis Labs)
SECURITY ADVISORY: WIND RIVER TCP/IP STACK (IPNET) VULNERABILITIES
SECURITY VULNERABILITY RESPONSE INFORMATION – TCP/IP Network Stack (IPnet, Urgent/11)
URGENT/11 Information from the Research Team – Armis Labs
Critical vulnerabilities to remotely compromise VxWorks, the most popular RTOS
Critical Zero Days Remotely Compromise the Most Popular Real-Time OS
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 10, 2019