Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Tracking vendors responses to URGENT/11 VxWorks vulnerabilities (Last updated: 2019-12-10 2251 UTC)

Advisory (URGENT/11)

UPDATE (2019-10-02 1241 UTC)

General

Armis released new information about the vulnerabilities scope. The vulnerabilities impact more RTOS than expected.

IP Stacks backstory

  • Some of the vulnerabilities discovered by Armis doesn't resides in VxWorks RTOS but in one part of it, the IP stack. This IP stack named IPNET stack comes from Interpeak AB, a company acquired by Wind River the editor of VxWorks RTOS, the 20th March 2006.
  • Before been acquired by Wind River, the Interpeak AB company sold IP stacks to several customers of them. Interpeak AB sold 2 major IP stacks named IPNET & IPLITE, IPLITE is a light version of IPNET.

IP Stacks vulnerabilities

IPNET & IPLITE

  • CVE-2019-12255: TCP Urgent pointer zero RCE vulnerability (IPTCP version r6_0_0 and later)
  • CVE-2019-12264: DHCP client (ipdhcpc) IPv4 assignment logical flaw (IPAPPL version r1_2_0 and later)
  • CVE-2019-12258: TCP connection DoS via malformed TCP options (version not specified)
  • CVE-2019-12259: DoS via NULL dereference in IGMP parsing (version not specified)

IPNET2 version r2_8_0 and later

  • CVE-2019-12262: Reverse ARP logical flaw

Others affected RTOS

Armis discovered during testing the following RTOS are potentially affected:

Operating System Embedded (OSE) by ENEA

  • ENEA reports that OSE4 and OSE5 may have been bundled with Interpeak IPnet from 2004-2006. In 2007, ENEA replaced Interpeak IPnet with OSENet.

INTEGRITY by Green Hills

  • Green Hills Software reports Interpeak IPnet was a third-party add-on for INTREGRITY RTOS from 2003-2006.

ThreadX by Microsoft

Microsoft answer:

  • We have not implemented IPNet in our ThreadX releases, and these vulnerabilities do not impact our code base.
  • Contrary to other reports, no version of ThreadX either pre- or post-acquisition has included IPNet, the affected software.
  • ThreadX customers that have licenses and are also using IPNet should contact Wind River for the appropriate patches.

WindRiver PSIRT answer:

  • Wind River does not support Interpeak software used in ThreadX or any other RTOS vendor products.

ITRON by TRON Forum

  • TRON Forum reports they only publish the specification for ITRON RTOS. Various implementations are used by many users world-wide and are created by various implementors (some commercial, and some academic and some government) according the specification document.
  • TRON Forum, the caretaker of the ITRON specification, has not endorsed the use of any particular TCP/IP stack including one from Interpeak.
  • The choice of TCP/IP stack is up to the RTOS vendor and application developers, and thus each application user needs to check whether TCP/IP stack developed by Interpeak is used inside their application.
  • TRON Forum will send out a preliminary warning to members by mailing list to notify implementors of the reported vulnerabilities.

ZebOS by IP Infusion

Nucleus by Mentor

What you can do ?

  • Contact your RTOS editor and ask him if he integrated IPNET or IPLITE IP stacks in his RTOS.
  • Scan your networks with Armis security tool URGENT11 DETECTOR
  • See below the part named DETECTION

NOTA: References and security advisories parts have been updated too.

General

The Armis research team, Armis Labs, have discovered 11 zero day vulnerabilities in VxWorks®, the most widely used operating system you may never heard about. VxWorks is used by over 2 billion devices including critical industrial, medical and enterprise devices. Dubbed “URGENT/11” the vulnerabilities reside in VxWorks’ TCP/IP stack (IPnet), impacting all versions since version 6.5, and are a rare example of vulnerabilities found to affect the operating system over the last 13 years. Armis has worked closely with Wind River®, the maintainer of VxWorks, and the latest VxWorks 7 released on July 19 contains fixes for all the discovered vulnerabilities.

Six of the vulnerabilities are classified as critical and enable Remote Code Execution (RCE). The 5 remaining vulnerabilities are classified as denial of service, information leaks or logical flaws.

References:

Vulnerabilities

CVE CVSSv3 Score Description
CVE-2019-12256 9.8 Stack overflow in the parsing of IPv4 packets’ IP options
CVE-2019-12257 8.8 Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc
CVE-2019-12255 9.8 TCP Urgent Pointer = 0 leads to integer underflow
CVE-2019-12260 9.8 TCP Urgent Pointer state confusion caused by malformed TCP AO option
CVE-2019-12261 8.8 TCP Urgent Pointer state confusion during connect() to a remote host
CVE-2019-12263 8.1 TCP Urgent Pointer state confusion due to race condition
CVE-2019-12258 7.5 DoS of TCP connection via malformed TCP options
CVE-2019-12259 6.3 DoS via NULL dereference in IGMP parsing
CVE-2019-12262 7.1 Handling of unsolicited Reverse ARP replies (Logical Flaw)
CVE-2019-12264 7.1 Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
CVE-2019-12265 5.4 IGMP Information leak via IGMPv3 specific membership report

Exploit development status (Last check: 2019-08-12 1655 UTC)

  • CVE-2019-12255: DoS Exploit published & verified
  • CVE-2019-12258: DoS Exploit published & verified

Security Advisory Tracking

National / CERT / CSIRT / Authorities

Original software editor advisory

Vendors responses

ABACO SYSTEMS

ABB

ABBOT

ACCURAY

Alcatel-Lucent

AVAYA

Baxter

BD (Beckton Dickinson)

BELDEN (Hirschmann & Garrettcom)

Bosch

BR-AUTOMATION

Broadcom

Canon

CARESTREAM

Dräger

Draytek

  • Support answer: Our products aren't affected, we don't have devices built on VxWorks. (Thanks to L. HSU.)

Edwards LifeSciences

Extreme Networks

F5

FORTIGUARD

FUJIFILM SONOSITE

General Electric Healthcare

Honeywell

HPE (Hewlett Packard Enterprise)

Medtronic

National-Instruments

NetApp

NihonKohden

OMRON

OPTO22

Philips

Radware

Ricoh

Roche

Rockwell

Schneider Electric

Siemens

SonicWall

SpaceLabs

Sprecher Automation

SuperSonicImagine

TERUMOBCT

TP-LINK

  • support answer : " Our VxWorks version is not impacted."

TrendMicro

Ubiquiti

WoodWard

Xerox

XYLEM

Detection

Detection of VxWorks URGENT/11 attacks using signatures

FORTIGUARD

SURICATA

1 : OS-VXWORKS — Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability

alert tcp any any -> any any (flags:U+; msg:”OS-VXWORKS — Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability”; classtype:attempted-admin; reference:cve,2019–12255; reference:cve,2019–12260; reference:cve,2019–12261; reference:cve,2019–12263; reference:url,armis.com/urgent11; rev:1; sid:1000002;)

2 : OS-VXWORKS Illegal use of Urgent pointer — Potential attempt to exploit an Urgent11 RCE vulnerability

alert tcp any any -> any any (flags:SUF+; msg:”OS-VXWORKS Illegal use of Urgent pointer — Potential attempt to exploit an Urgent11 RCE vulnerability”; classtype:attempted-admin; reference:cve,2019–12255; reference:cve,2019–12260; reference:cve,2019–12261; reference:cve,2019–12263; reference:url,armis.com/urgent11; rev:1; sid:1000001;)

3 : OS-VXWORKS Use of LSRR option, potential attempt to exploit an Urgent11 RCE vulnerability

alert ip any any -> any any (ipopts:lsrr; msg:”OS-VXWORKS Use of LSRR option, potential attempt to exploit an Urgent11 RCE vulnerability”; reference:cve,2019–12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev:1; sid:1000003;)

4 : OS-VXWORKS Use of SSRR option, potential attempt to exploit an Urgent11 RCE vulnerability

alert ip any any -> any any (ipopts:ssrr; msg:”OS-VXWORKS Use of SSRR option, potential attempt to exploit an Urgent11 RCE vulnerability”; reference:cve,2019–12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev:1; sid:1000004;)

SNORT / SOURCEFIRE

  • 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)
  • Available in 2019-08-20 12:01:10 UTC / Snort Subscriber Rules Update / Sourcefire VRT Certified rule pack Snort version 2091401.

Detection of VxWorks based systems

TENABLE

QUALYS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.