A specially crafted TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or recvmsg() socket routines. With a prerequisite that the system uses TCP sockets, an attacker can either hijack an existing TCP session and inject bad TCP segments, or establish a new TCP session on any TCP port the victim system listens to. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.
Tag: Wind River VxWorks
ASA-2019-00505 – Wind River VxWorks: IGMP Information leak via IGMPv3 specific membership report
An attacker can create specially crafted and fragmented IGMPv3 query report, which may result in the victim transmitting undefined buffer content. The IGMPv3 reception handler does not expect packets to be spread across multiple IP fragments. A prerequisite for exploiting this vulnerability is that the victim system has at least one IPv4 multicast address assigned. That prerequisite is almost always fulfilled, as all multicast-capable hosts are required to listen to the all-multicast-hosts address, 224.0.0.1. Attacks against link local multicast addresses, such as 224.0.0.1, allow an attacker on the LAN to make the victim system transmit data to the network that has not been properly set. Specifically, the data transmitted from the network might be information from packets previously received or sent by the network stack.
ASA-2019-00504 – Wind River VxWorks: Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
The VxWorks DHCP client fails to properly validate that the offered IP-address in a DHCP renewal or offer response contains a valid unicast address. An attacker may assign multicast or broadcast addresses to the victim. An attacker residing on the LAN may choose to highjack a DHCP-client session that requests an IPv4 address. The attacker can send a multicast IP address in the DHCP offer/ack message, which the victim system then incorrectly assigns. This vulnerability is not very useful in isolation, but can be combined with CVE-2019-12259 to create a denial-ofservice attack.
ASA-2019-00503 – Wind River VxWorks: TCP Urgent Pointer state confusion due to race condition
A series of segments with and without the URG-flag set must arrive with a very specific timing while an application on the victim is receiving from the session. The victim must be using a SMP-kernel and two or more CPU-cores alternatively an uni-processor kernel where the receiving task and the network task executes at different priorities. A prerequisite is that the system uses TCP-sockets, and there is at least one TCP session enabled that an attacker can inject traffic into. This vulnerability relies on a race condition between the network task (tNet0) and the receiving application. It is essentially impossible to trigger the race on a system with just a single CPU thread enabled and no way to reliably trigger it on SMP targets. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.
ASA-2019-00502 – Wind River VxWorks: Handling of unsolicited Reverse ARP replies
The RARP reception handler verifies that the packet is well formed, but fails to verify that the node has an ongoing RARP-transaction matching the received packet. An attacker residing on the LAN can send reverse-ARP responses to the victim system to assign unicast IPv4 addresses to the target. The action will not cause any direct harm more than increased usage of RAM. However, the vulnerability may indirectly cause a network connectivity issue for the system on the LAN if the assigned IP addresses collide with other machines.
ASA-2019-00501 – Wind River VxWorks: TCP Urgent Pointer state confusion during connect() to a remote host
A specially crafted response to the connection attempt, where also the FIN- and URG-flags are set is sent as a response. This may put the victim into an inconsistent state, which make it possible to send yet another segment that trigger a buffer overflow. A prerequisite is that the system uses TCP sockets and the attacker can trigger the target to establish a new TCP connection that the attacker highjacks the traffic of. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.
ASA-2019-00500 – Wind River VxWorks: TCP Urgent Pointer state confusion caused by malformed TCP AO option
A series of specially crafted TCP-segments where the last step is a TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or recvmsg() socket routines. A prerequisite is that the system uses TCP sockets and listens to at least one TCP port. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.
ASA-2019-00499 – Wind River VxWorks: Denial of Service (DoS) via NULL dereference in IGMP parsing
This vulnerability require that the TCP/IP-stack is assigned a multicast address the API intended for assigning unicast addresses or something with the same logical flaw is a prerequisite. This vulnerability requires that at least one IPv4 multicast address has been assigned to the target in an incorrect way, i.e., using the API intended for assigning unicast addresses. It is not possible to exploit for multicast addresses added with the proper API, i.e., setsockopt(). An attacker may use CVE-2019-12264 to incorrectly assign a multicast IP address. An attacker on the same LAN as the victim system may use this vulnerability to cause a NULL pointer dereference, which most likely will crash the tNet0 task.