ASA-2019-00506 – Wind River VxWorks: TCP Urgent Pointer = 0 leads to integer underflow

A specially crafted TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or recvmsg() socket routines. With a prerequisite that the system uses TCP sockets, an attacker can either hijack an existing TCP session and inject bad TCP segments, or establish a new TCP session on any TCP port the victim system listens to. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.