The VxWorks DHCP client fails to properly validate that the offered IP-address in a DHCP renewal or offer response contains a valid unicast address. An attacker may assign multicast or broadcast addresses to the victim. An attacker residing on the LAN may choose to highjack a DHCP-client session that requests an IPv4 address. The attacker can send a multicast IP address in the DHCP offer/ack message, which the victim system then incorrectly assigns. This vulnerability is not very useful in isolation, but can be combined with CVE-2019-12259 to create a denial-ofservice attack.
Tag: ASA-2019-00499
ASA-2019-00499 – Wind River VxWorks: Denial of Service (DoS) via NULL dereference in IGMP parsing
This vulnerability require that the TCP/IP-stack is assigned a multicast address the API intended for assigning unicast addresses or something with the same logical flaw is a prerequisite. This vulnerability requires that at least one IPv4 multicast address has been assigned to the target in an incorrect way, i.e., using the API intended for assigning unicast addresses. It is not possible to exploit for multicast addresses added with the proper API, i.e., setsockopt(). An attacker may use CVE-2019-12264 to incorrectly assign a multicast IP address. An attacker on the same LAN as the victim system may use this vulnerability to cause a NULL pointer dereference, which most likely will crash the tNet0 task.