ASA-2019-00506 – Wind River VxWorks: TCP Urgent Pointer = 0 leads to integer underflow

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00506

Identifier(s)

ASA-2019-00506, CVE-2019-12255, VXW6-87100

Title

TCP Urgent Pointer = 0 leads to integer underflow

Vendor(s)

Wind River

Product(s)

Wind River VxWorks

Affected version(s)

Wind River VxWorks 6 version 6.6
Wind River VxWorks 6 version 6.7
Wind River VxWorks 6 version 6.8
Wind River VxWorks 6 versions 6.9.x before 6.9.4

Fixed version(s)

Wind River VxWorks 6 version 6.9.4

Proof of concept

Yes

Description

A specially crafted TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or recvmsg() socket routines.

With a prerequisite that the system uses TCP sockets, an attacker can either hijack an existing TCP session and inject bad TCP segments, or establish a new TCP session on any TCP port the victim system listens to. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.

Technical details

Unknown

Credits

Ben Seri (Armis Labs)

Reference(s)

SECURITY ADVISORY: WIND RIVER TCP/IP STACK (IPNET) VULNERABILITIES
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/security-advisory-ipnet/security-advisory-ipnet.pdf

SECURITY VULNERABILITY RESPONSE INFORMATION – TCP/IP Network Stack (IPnet, Urgent/11)
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/

CVE: CVE-2019-12255 - Wind River Support Network
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12255

URGENT/11 Information from the Research Team – Armis Labs
https://armis.com/urgent11/

Critical vulnerabilities to remotely compromise VxWorks, the most popular RTOS
https://go.armis.com/hubfs/White-papers/Urgent11%20Technical%20White%20Paper.pdf

Critical Zero Days Remotely Compromise the Most Popular Real-Time OS
https://i.blackhat.com/USA-19/Thursday/us-19-Seri-Critical-Zero-Days-Remotely-Compromise-The-Most-Popular-Real-Time-OS.pdf

CVE-2019-12255
https://github.com/dazhouzhou/vxworks-poc/tree/master/CVE-2019-12255

CVE-2019-12255
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12255

CVE-2019-12255
https://nvd.nist.gov/vuln/detail/CVE-2019-12255

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 15, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.