Advisory (URGENT/11)
UPDATE (2019-10-02 1241 UTC)
General
Armis released new information about the vulnerabilities scope. The vulnerabilities impact more RTOS than expected.
IP Stacks backstory
- Some of the vulnerabilities discovered by Armis doesn't resides in VxWorks RTOS but in one part of it, the IP stack. This IP stack named IPNET stack comes from Interpeak AB, a company acquired by Wind River the editor of VxWorks RTOS, the 20th March 2006.
- Before been acquired by Wind River, the Interpeak AB company sold IP stacks to several customers of them. Interpeak AB sold 2 major IP stacks named IPNET & IPLITE, IPLITE is a light version of IPNET.
IP Stacks vulnerabilities
IPNET & IPLITE
- CVE-2019-12255: TCP Urgent pointer zero RCE vulnerability (IPTCP version r6_0_0 and later)
- CVE-2019-12264: DHCP client (ipdhcpc) IPv4 assignment logical flaw (IPAPPL version r1_2_0 and later)
- CVE-2019-12258: TCP connection DoS via malformed TCP options (version not specified)
- CVE-2019-12259: DoS via NULL dereference in IGMP parsing (version not specified)
IPNET2 version r2_8_0 and later
- CVE-2019-12262: Reverse ARP logical flaw
Others affected RTOS
Armis discovered during testing the following RTOS are potentially affected:
Operating System Embedded (OSE) by ENEA
- ENEA reports that OSE4 and OSE5 may have been bundled with Interpeak IPnet from 2004-2006. In 2007, ENEA replaced Interpeak IPnet with OSENet.
INTEGRITY by Green Hills
- Green Hills Software reports Interpeak IPnet was a third-party add-on for INTREGRITY RTOS from 2003-2006.
ThreadX by Microsoft
Microsoft answer:
- We have not implemented IPNet in our ThreadX releases, and these vulnerabilities do not impact our code base.
- Contrary to other reports, no version of ThreadX either pre- or post-acquisition has included IPNet, the affected software.
- ThreadX customers that have licenses and are also using IPNet should contact Wind River for the appropriate patches.
WindRiver PSIRT answer:
- Wind River does not support Interpeak software used in ThreadX or any other RTOS vendor products.
ITRON by TRON Forum
- TRON Forum reports they only publish the specification for ITRON RTOS. Various implementations are used by many users world-wide and are created by various implementors (some commercial, and some academic and some government) according the specification document.
- TRON Forum, the caretaker of the ITRON specification, has not endorsed the use of any particular TCP/IP stack including one from Interpeak.
- The choice of TCP/IP stack is up to the RTOS vendor and application developers, and thus each application user needs to check whether TCP/IP stack developed by Interpeak is used inside their application.
- TRON Forum will send out a preliminary warning to members by mailing list to notify implementors of the reported vulnerabilities.
ZebOS by IP Infusion
Nucleus by Mentor
What you can do ?
- Contact your RTOS editor and ask him if he integrated IPNET or IPLITE IP stacks in his RTOS.
- Scan your networks with Armis security tool URGENT11 DETECTOR
- See below the part named DETECTION
NOTA: References and security advisories parts have been updated too.
General
The Armis research team, Armis Labs, have discovered 11 zero day vulnerabilities in VxWorks®, the most widely used operating system you may never heard about. VxWorks is used by over 2 billion devices including critical industrial, medical and enterprise devices. Dubbed “URGENT/11” the vulnerabilities reside in VxWorks’ TCP/IP stack (IPnet), impacting all versions since version 6.5, and are a rare example of vulnerabilities found to affect the operating system over the last 13 years. Armis has worked closely with Wind River®, the maintainer of VxWorks, and the latest VxWorks 7 released on July 19 contains fixes for all the discovered vulnerabilities.
Six of the vulnerabilities are classified as critical and enable Remote Code Execution (RCE). The 5 remaining vulnerabilities are classified as denial of service, information leaks or logical flaws.
References:
- Security Research - White Paper
- BlackHat 2019 Presentation Slides
- BLOGPOST - URGENT/11 Risk Assessment To Help Enterprises Identify Exposed and Impacted Devices
- BLOGPOST - URGENT/11 Presses Further, Affecting Additional RTOSs - Highlights Risks on Medical Devices
Vulnerabilities
CVE | CVSSv3 Score | Description |
---|---|---|
CVE-2019-12256 | 9.8 | Stack overflow in the parsing of IPv4 packets’ IP options |
CVE-2019-12257 | 8.8 | Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc |
CVE-2019-12255 | 9.8 | TCP Urgent Pointer = 0 leads to integer underflow |
CVE-2019-12260 | 9.8 | TCP Urgent Pointer state confusion caused by malformed TCP AO option |
CVE-2019-12261 | 8.8 | TCP Urgent Pointer state confusion during connect() to a remote host |
CVE-2019-12263 | 8.1 | TCP Urgent Pointer state confusion due to race condition |
CVE-2019-12258 | 7.5 | DoS of TCP connection via malformed TCP options |
CVE-2019-12259 | 6.3 | DoS via NULL dereference in IGMP parsing |
CVE-2019-12262 | 7.1 | Handling of unsolicited Reverse ARP replies (Logical Flaw) |
CVE-2019-12264 | 7.1 | Logical flaw in IPv4 assignment by the ipdhcpc DHCP client |
CVE-2019-12265 | 5.4 | IGMP Information leak via IGMPv3 specific membership report |
Exploit development status (Last check: 2019-08-12 1655 UTC)
- CVE-2019-12255: DoS Exploit published & verified
- CVE-2019-12258: DoS Exploit published & verified
Security Advisory Tracking
National / CERT / CSIRT / Authorities
- CISA ICS Advisory
- CISA ICS Advisory
- CISA ICSM Advisory
- FDA Advisory
- CCCS Security Advisory
- AUSCERT Security Advisory
- CSIRT GOB CL
- CERT-FR
- CERT-SE
- CNNVD-201907-1490
Original software editor advisory
Vendors responses
ABACO SYSTEMS
ABB
- https://new.abb.com/news/detail/28733/cyber-security-notification
- http://search.abb.com/library/Download.aspx?DocumentID=8VZZ001892T0001&LanguageCode=en&DocumentPartId=&Action=Launch
- http://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A6671&LanguageCode=en&DocumentPartId=&Action=Launch
- http://search.abb.com/library/Download.aspx?DocumentID=2GHV057194&LanguageCode=en&DocumentPartId=&Action=Launch
- https://search.abb.com/library/Download.aspx?DocumentID=SI20192&LanguageCode=en&DocumentPartId=&Action=Launch
- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A8838&LanguageCode=en&DocumentPartId=&Action=Launch
- https://search.abb.com/library/Download.aspx?DocumentID=2PAA120481&LanguageCode=en&DocumentPartId=&Action=Launch
ABBOT
ACCURAY
Alcatel-Lucent
AVAYA
Baxter
BD (Beckton Dickinson)
BELDEN (Hirschmann & Garrettcom)
Bosch
BR-AUTOMATION
- https://www.br-automation.com/de/service/cyber-security/
- Look for "Cyber Security Advisory 01/2019"
Broadcom
Canon
CARESTREAM
Dräger
Draytek
- Support answer: Our products aren't affected, we don't have devices built on VxWorks. (Thanks to L. HSU.)
Edwards LifeSciences
Extreme Networks
- https://extremeportal.force.com/ExtrArticleDetail?n=000040646
- https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2019-002
F5
FORTIGUARD
FUJIFILM SONOSITE
General Electric Healthcare
- https://www.gehealthcare.com/security
- Look for "VxWorks TCP/IP Stack (IPnet) Vulnerabilities"
Honeywell
HPE (Hewlett Packard Enterprise)
Medtronic
National-Instruments
- No security advisory yet but a list of their products using VxWorks:
- http://www.ni.com/product-documentation/53636/en/
NetApp
NihonKohden
OMRON
OPTO22
Philips
- https://www.usa.philips.com/healthcare/about/customer-support/product-security
- Look for "VxWorks Urgent/11 Advisory (1 August 2019)"
Radware
Ricoh
Roche
- https://diagnostics.roche.com/global/en/legal/product-security-advisory.html
- looks for "URGENT/11 - Multiple vulnerabilities in VxWorks (27 September 2019)"
Rockwell
Schneider Electric
Siemens
- https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-189842.pdf
SonicWall
SpaceLabs
Sprecher Automation
- https://www.sprecher-automation.com/en/it-security/
- Look for "Urgent 11 in Wind River VxWorks"
SuperSonicImagine
TERUMOBCT
- https://www.terumobct.com/support/product-security
- Looks for "Wind River TCP/IP Stack Security Update"
TP-LINK
- support answer : " Our VxWorks version is not impacted."
TrendMicro
Ubiquiti
WoodWard
- https://support.woodward.com/en/kb/articles/preliminary-notice-woodward-security-bulletin-01661-urgent-11
- https://support.woodward.com/file.php/1529CZSDRTZZZX1528120139B43/01661-.pdf
Xerox
- https://security.business.xerox.com/en-us/news/wind-river-vxworks-ipnet-tcp-ip-stack-vulnerabilities/
- https://security.business.xerox.com/wp-content/uploads/2019/09/cert_Security_Mini_Bulletin_XRX19U_for_WorkCentre3335-3345.pdf
XYLEM
Detection
Detection of VxWorks URGENT/11 attacks using signatures
FORTIGUARD
- https://fortiguard.com/encyclopedia/ips/48263/wind-river-vxworks-large-dhcp-packet-handling-heap-overflow
- https://fortiguard.com/encyclopedia/ips/48250/wind-river-vxworks-ao-option-urgent-pointer-integer-underflow
- https://fortiguard.com/encyclopedia/ips/48249/wind-river-vxworks-zero-urgent-pointer-integer-underflow
- https://fortiguard.com/encyclopedia/ips/48248/wind-river-vxworks-ip-option-handling-stack-overflow
SURICATA
1 : OS-VXWORKS — Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability
alert tcp any any -> any any (flags:U+; msg:”OS-VXWORKS — Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability”; classtype:attempted-admin; reference:cve,2019–12255; reference:cve,2019–12260; reference:cve,2019–12261; reference:cve,2019–12263; reference:url,armis.com/urgent11; rev:1; sid:1000002;)
2 : OS-VXWORKS Illegal use of Urgent pointer — Potential attempt to exploit an Urgent11 RCE vulnerability
alert tcp any any -> any any (flags:SUF+; msg:”OS-VXWORKS Illegal use of Urgent pointer — Potential attempt to exploit an Urgent11 RCE vulnerability”; classtype:attempted-admin; reference:cve,2019–12255; reference:cve,2019–12260; reference:cve,2019–12261; reference:cve,2019–12263; reference:url,armis.com/urgent11; rev:1; sid:1000001;)
3 : OS-VXWORKS Use of LSRR option, potential attempt to exploit an Urgent11 RCE vulnerability
alert ip any any -> any any (ipopts:lsrr; msg:”OS-VXWORKS Use of LSRR option, potential attempt to exploit an Urgent11 RCE vulnerability”; reference:cve,2019–12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev:1; sid:1000003;)
4 : OS-VXWORKS Use of SSRR option, potential attempt to exploit an Urgent11 RCE vulnerability
alert ip any any -> any any (ipopts:ssrr; msg:”OS-VXWORKS Use of SSRR option, potential attempt to exploit an Urgent11 RCE vulnerability”; reference:cve,2019–12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev:1; sid:1000004;)
SNORT / SOURCEFIRE
- 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)
- Available in 2019-08-20 12:01:10 UTC / Snort Subscriber Rules Update / Sourcefire VRT Certified rule pack Snort version 2091401.
Detection of VxWorks based systems
TENABLE
- 127108 Wind River VxWorks Multiple Vulnerabilities (URGENT/11) Nessus Misc. 2019/07/29 2019/08/05 CRITICAL
- 127109 Xerox WorkCentre Multiple Vulnerabilities (XRX19-016) (URGENT/11) Nessus Misc. 2019/07/29 2019/08/05 CRITICAL
- 127107 SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11) Nessus Firewalls 2019/07/29 2019/08/05 CRITICAL
- https://fr.tenable.com/blog/critical-vulnerabilities-dubbed-urgent11-place-devices-running-vxworks-at-risk-of-rce-attacks
QUALYS
- QID 13534 Wind River VxWorks Multiple Security Vulnerabilities(URGENT 11) 2019/08/02
- https://discussions.qualys.com/docs/DOC-6835-dashboard-toolbox-query-for-urgent11