Skip to content

Instantly share code, notes, and snippets.

@SwitHak
Last active June 5, 2020 08:12
Show Gist options
  • Save SwitHak/7e1bfa1e36a5f1f02d900062d188a8a4 to your computer and use it in GitHub Desktop.
Save SwitHak/7e1bfa1e36a5f1f02d900062d188a8a4 to your computer and use it in GitHub Desktop.
Tracking vendors responses to URGENT/11 VxWorks vulnerabilities (Last updated: 2020-02-21 1019 UTC)

Advisory (URGENT/11)

UPDATE (2019-10-02 1241 UTC)

General

Armis released new information about the vulnerabilities scope. The vulnerabilities impact more RTOS than expected.

IP Stacks backstory

  • Some of the vulnerabilities discovered by Armis doesn't resides in VxWorks RTOS but in one part of it, the IP stack. This IP stack named IPNET stack comes from Interpeak AB, a company acquired by Wind River the editor of VxWorks RTOS, the 20th March 2006.
  • Before been acquired by Wind River, the Interpeak AB company sold IP stacks to several customers of them. Interpeak AB sold 2 major IP stacks named IPNET & IPLITE, IPLITE is a light version of IPNET.

IP Stacks vulnerabilities

IPNET & IPLITE

  • CVE-2019-12255: TCP Urgent pointer zero RCE vulnerability (IPTCP version r6_0_0 and later)
  • CVE-2019-12264: DHCP client (ipdhcpc) IPv4 assignment logical flaw (IPAPPL version r1_2_0 and later)
  • CVE-2019-12258: TCP connection DoS via malformed TCP options (version not specified)
  • CVE-2019-12259: DoS via NULL dereference in IGMP parsing (version not specified)

IPNET2 version r2_8_0 and later

  • CVE-2019-12262: Reverse ARP logical flaw

Others affected RTOS

Armis discovered during testing the following RTOS are potentially affected:

Operating System Embedded (OSE) by ENEA

  • ENEA reports that OSE4 and OSE5 may have been bundled with Interpeak IPnet from 2004-2006. In 2007, ENEA replaced Interpeak IPnet with OSENet.

INTEGRITY by Green Hills

  • Green Hills Software reports Interpeak IPnet was a third-party add-on for INTREGRITY RTOS from 2003-2006.

ThreadX by Microsoft

Microsoft answer:

  • We have not implemented IPNet in our ThreadX releases, and these vulnerabilities do not impact our code base.
  • Contrary to other reports, no version of ThreadX either pre- or post-acquisition has included IPNet, the affected software.
  • ThreadX customers that have licenses and are also using IPNet should contact Wind River for the appropriate patches.

WindRiver PSIRT answer:

  • Wind River does not support Interpeak software used in ThreadX or any other RTOS vendor products.

ITRON by TRON Forum

  • TRON Forum reports they only publish the specification for ITRON RTOS. Various implementations are used by many users world-wide and are created by various implementors (some commercial, and some academic and some government) according the specification document.
  • TRON Forum, the caretaker of the ITRON specification, has not endorsed the use of any particular TCP/IP stack including one from Interpeak.
  • The choice of TCP/IP stack is up to the RTOS vendor and application developers, and thus each application user needs to check whether TCP/IP stack developed by Interpeak is used inside their application.
  • TRON Forum will send out a preliminary warning to members by mailing list to notify implementors of the reported vulnerabilities.

ZebOS by IP Infusion

Nucleus by Mentor

What you can do ?

  • Contact your RTOS editor and ask him if he integrated IPNET or IPLITE IP stacks in his RTOS.
  • Scan your networks with Armis security tool URGENT11 DETECTOR
  • See below the part named DETECTION

NOTA: References and security advisories parts have been updated too.

General

The Armis research team, Armis Labs, have discovered 11 zero day vulnerabilities in VxWorks®, the most widely used operating system you may never heard about. VxWorks is used by over 2 billion devices including critical industrial, medical and enterprise devices. Dubbed “URGENT/11” the vulnerabilities reside in VxWorks’ TCP/IP stack (IPnet), impacting all versions since version 6.5, and are a rare example of vulnerabilities found to affect the operating system over the last 13 years. Armis has worked closely with Wind River®, the maintainer of VxWorks, and the latest VxWorks 7 released on July 19 contains fixes for all the discovered vulnerabilities.

Six of the vulnerabilities are classified as critical and enable Remote Code Execution (RCE). The 5 remaining vulnerabilities are classified as denial of service, information leaks or logical flaws.

References:

Vulnerabilities

CVE CVSSv3 Score Description
CVE-2019-12256 9.8 Stack overflow in the parsing of IPv4 packets’ IP options
CVE-2019-12257 8.8 Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc
CVE-2019-12255 9.8 TCP Urgent Pointer = 0 leads to integer underflow
CVE-2019-12260 9.8 TCP Urgent Pointer state confusion caused by malformed TCP AO option
CVE-2019-12261 8.8 TCP Urgent Pointer state confusion during connect() to a remote host
CVE-2019-12263 8.1 TCP Urgent Pointer state confusion due to race condition
CVE-2019-12258 7.5 DoS of TCP connection via malformed TCP options
CVE-2019-12259 6.3 DoS via NULL dereference in IGMP parsing
CVE-2019-12262 7.1 Handling of unsolicited Reverse ARP replies (Logical Flaw)
CVE-2019-12264 7.1 Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
CVE-2019-12265 5.4 IGMP Information leak via IGMPv3 specific membership report

Exploit development status (Last check: 2019-08-12 1655 UTC)

  • CVE-2019-12255: DoS Exploit published & verified
  • CVE-2019-12258: DoS Exploit published & verified

Security Advisory Tracking

National / CERT / CSIRT / Authorities

Original software editor advisory

Vendors responses

ABACO SYSTEMS

ABB

ABBOT

ACCURAY

Alcatel-Lucent

AVAYA

Baxter

BD (Beckton Dickinson)

BELDEN (Hirschmann & Garrettcom)

Bosch

Boston Scientific

BR-AUTOMATION

Broadcom

Canon

CARESTREAM

Dell - EMC

Dräger

Draytek

  • Support answer: Our products aren't affected, we don't have devices built on VxWorks. (Thanks to L. HSU.)

Edwards LifeSciences

Extreme Networks

F5

FORTIGUARD

FUJIFILM SONOSITE

General Electric Healthcare

Honeywell

HPE (Hewlett Packard Enterprise)

Medtronic

Mitsubishi

National-Instruments

NetApp

NihonKohden

OMRON

OPTO22

Philips

Polycom

Radware

Ricoh

Roche

Rockwell

Schneider Electric

Siemens

SonicWall

SpaceLabs

Sprecher Automation

SuperSonicImagine

TERUMOBCT

TP-LINK

  • support answer : " Our VxWorks version is not impacted."

TrendMicro

Ubiquiti

WoodWard

Xerox

XYLEM

Detection

Detection of VxWorks URGENT/11 attacks using signatures

FORTIGUARD

SURICATA

1 : OS-VXWORKS — Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability

alert tcp any any -> any any (flags:U+; msg:”OS-VXWORKS — Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability”; classtype:attempted-admin; reference:cve,2019–12255; reference:cve,2019–12260; reference:cve,2019–12261; reference:cve,2019–12263; reference:url,armis.com/urgent11; rev:1; sid:1000002;)

2 : OS-VXWORKS Illegal use of Urgent pointer — Potential attempt to exploit an Urgent11 RCE vulnerability

alert tcp any any -> any any (flags:SUF+; msg:”OS-VXWORKS Illegal use of Urgent pointer — Potential attempt to exploit an Urgent11 RCE vulnerability”; classtype:attempted-admin; reference:cve,2019–12255; reference:cve,2019–12260; reference:cve,2019–12261; reference:cve,2019–12263; reference:url,armis.com/urgent11; rev:1; sid:1000001;)

3 : OS-VXWORKS Use of LSRR option, potential attempt to exploit an Urgent11 RCE vulnerability

alert ip any any -> any any (ipopts:lsrr; msg:”OS-VXWORKS Use of LSRR option, potential attempt to exploit an Urgent11 RCE vulnerability”; reference:cve,2019–12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev:1; sid:1000003;)

4 : OS-VXWORKS Use of SSRR option, potential attempt to exploit an Urgent11 RCE vulnerability

alert ip any any -> any any (ipopts:ssrr; msg:”OS-VXWORKS Use of SSRR option, potential attempt to exploit an Urgent11 RCE vulnerability”; reference:cve,2019–12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev:1; sid:1000004;)

SNORT / SOURCEFIRE

  • 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)
  • Available in 2019-08-20 12:01:10 UTC / Snort Subscriber Rules Update / Sourcefire VRT Certified rule pack Snort version 2091401.

Detection of VxWorks based systems

TENABLE

QUALYS

@SwitHak
Copy link
Author

SwitHak commented Aug 9, 2019

Correct link for Schneider Electric:
https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SESB-2019-214-01-Wind+River_VxWorks+Security+Bulletin+V1.1.pdf&p_Doc_Ref=SESB-2019-214-01

Hi,
Mine was right before they removed the version 1 for 1.1.
Thanks for the information, it’s already updated!
EDIT: Seems they don’t want us to link the PDF directly so I’ve updated with the webpage before.
EDIT1: Seems there’s some problems in their documentation database.
EDIT2: Now it’s available.

@SwitHak
Copy link
Author

SwitHak commented Aug 16, 2019

@pweichen
Copy link

Hi SwitHak,
Please remove the following link, since it is outdated:
http://www.br-automation.com/downloads_br_productcatalogue/assets/1564957998766-en-original-1.0.pdf

Please do not directly link our cyber security advisory - just keep the link to our cyber security page (https://www.br-automation.com/de/service/cyber-security/).

Thanks,
Peter W.
B&R Cyber Security Team

@SwitHak
Copy link
Author

SwitHak commented Aug 25, 2019

Hi SwitHak,
Please remove the following link, since it is outdated:
http://www.br-automation.com/downloads_br_productcatalogue/assets/1564957998766-en-original-1.0.pdf

Please do not directly link our cyber security advisory - just keep the link to our cyber security page (https://www.br-automation.com/de/service/cyber-security/).

Thanks,
Peter W.
B&R Cyber Security Team

Hi Peter,
Thanks for the information, already updated!

@sjfxlong
Copy link

sjfxlong commented Oct 8, 2019

Hi SwitHak—

Wind River has no experience with supporting non-Wind River operating systems and unfortunately is not able to help users of those operating systems. That responsibility lies with those vendors.

Specifically the Microsoft answer directing ThreadX customers to Wind River is incorrect information. Wind River does not support Interpeak software used in ThreadX or any other RTOS vendor products. ThreadX and those other vendors will need to help their customers. Please remove or edit the comment from ThreadX to reflect this.

I’m also a bit confused by the first two bullets from ThreadX. Do a search for “ThreadX IPnet” and decide for yourself if they are accurate. I see for example a press release from ThreadX touting "Interpeak's dual-mode IPv4/IPv6 IPNET and IPLITE stacks are now fully integrated with the ThreadX RTOS."

Your page is quite useful for the industry at-large. Thank you for your efforts in providing this cross-vendor platform and consolidating varied information sources.

Thanks,
Steve L.
Wind River Systems PSIRT

@SwitHak
Copy link
Author

SwitHak commented Oct 15, 2019

Hi SwitHak—

Wind River has no experience with supporting non-Wind River operating systems and unfortunately is not able to help users of those operating systems. That responsibility lies with those vendors.

Specifically the Microsoft answer directing ThreadX customers to Wind River is incorrect information. Wind River does not support Interpeak software used in ThreadX or any other RTOS vendor products. ThreadX and those other vendors will need to help their customers. Please remove or edit the comment from ThreadX to reflect this.

I’m also a bit confused by the first two bullets from ThreadX. Do a search for “ThreadX IPnet” and decide for yourself if they are accurate. I see for example a press release from ThreadX touting "Interpeak's dual-mode IPv4/IPv6 IPNET and IPLITE stacks are now fully integrated with the ThreadX RTOS."

Your page is quite useful for the industry at-large. Thank you for your efforts in providing this cross-vendor platform and consolidating varied information sources.

Thanks,
Steve L.
Wind River Systems PSIRT

Hi @sjfxlong

Thanks for your feedback.

Specifically the Microsoft answer directing ThreadX customers to Wind River is incorrect information. Wind River does not support Interpeak software used in ThreadX or any other RTOS vendor products. ThreadX and those other vendors will need to help their customers. Please remove or edit the comment from ThreadX to reflect this.

It's an official support answer from Microsoft, I will add a comment with your sentence to reflect the WindRiver view.

I’m also a bit confused by the first two bullets from ThreadX. Do a search for “ThreadX IPnet” and decide for yourself if they are accurate. I see for example a press release from ThreadX touting "Interpeak's dual-mode IPv4/IPv6 IPNET and IPLITE stacks are now fully integrated with the ThreadX RTOS."

It's a little bit complicated. ThreadX is a LEGO-like RTOS, It's made of different bricks and IPNet & IPLite stacks IP were one of those bricks.
So ThreadX customers has different choices possible and IPNet & IPLite are third party stacks bricks, so not supported by Microsoft / ThreadX.

Your page is quite useful for the industry at-large. Thank you for your efforts in providing this cross-vendor platform and consolidating varied information sources.

Thanks, really appreciated.

Available for further discussion or comment, Here or in my Twitter DM if you want.

SwitHak
Twitter: @SwitHak

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment