yevhenstasiv/20190730-TLP-WHITE_URGENT11_VxWorks.MD

## 20190730-TLP-WHITE_URGENT11_VxWorks.MD

      
    Raw
  

              20190730-TLP-WHITE_URGENT11_VxWorks.MD
            
          
    Advisory (URGENT/11)

UPDATE (2019-10-02 1241 UTC)

General

Armis released new information about the vulnerabilities scope. The vulnerabilities impact more RTOS than expected.
IP Stacks backstory


Some of the vulnerabilities discovered by Armis doesn't resides in VxWorks RTOS but in one part of it, the IP stack. This IP stack named IPNET stack comes from Interpeak AB, a company acquired by Wind River the editor of VxWorks RTOS, the 20th March 2006.
Before been acquired by Wind River, the Interpeak AB company sold IP stacks to several customers of them. Interpeak AB sold 2 major IP stacks named IPNET & IPLITE, IPLITE is a light version of IPNET.

IP Stacks vulnerabilities

IPNET & IPLITE


CVE-2019-12255: TCP Urgent pointer zero RCE vulnerability (IPTCP version r6_0_0 and later)
CVE-2019-12264: DHCP client (ipdhcpc) IPv4 assignment logical flaw (IPAPPL version r1_2_0 and later)
CVE-2019-12258: TCP connection DoS via malformed TCP options (version not specified)
CVE-2019-12259: DoS via NULL dereference in IGMP parsing (version not specified)

IPNET2 version r2_8_0 and later


CVE-2019-12262: Reverse ARP logical flaw

Others affected RTOS

Armis discovered during testing the following RTOS are potentially affected:
Operating System Embedded (OSE) by ENEA


ENEA reports that OSE4 and OSE5 may have been bundled with Interpeak IPnet from 2004-2006. In 2007, ENEA replaced Interpeak IPnet with OSENet.

INTEGRITY by Green Hills


Green Hills Software reports Interpeak IPnet was a third-party add-on for INTREGRITY RTOS from 2003-2006.

ThreadX by Microsoft

Microsoft answer:


We have not implemented IPNet in our ThreadX releases, and these vulnerabilities do not impact our code base.
Contrary to other reports, no version of ThreadX either pre- or post-acquisition has included IPNet, the affected software.
ThreadX customers that have licenses and are also using IPNet should contact Wind River for the appropriate patches.

WindRiver PSIRT answer:


Wind River does not support Interpeak software used in ThreadX or any other RTOS vendor products.

ITRON by TRON Forum


TRON Forum reports they only publish the specification for ITRON RTOS. Various implementations are used by many users world-wide and are created by various implementors (some commercial, and some academic and some government) according the specification document.
TRON Forum, the caretaker of the ITRON specification, has not endorsed the use of any particular TCP/IP stack including one from Interpeak.
The choice of TCP/IP stack is up to the RTOS vendor and application developers, and thus each application user needs to check whether TCP/IP stack developed by Interpeak is used inside their application.
TRON Forum will send out a preliminary warning to members by mailing list to notify implementors of the reported vulnerabilities.

ZebOS by IP Infusion

Nucleus by Mentor

What you can do ?


Contact your RTOS editor and ask him if he integrated IPNET or IPLITE IP stacks in his RTOS.
Scan your networks with Armis security tool URGENT11 DETECTOR
See below the part named DETECTION

NOTA: References and security advisories parts have been updated too.
General

The Armis research team, Armis Labs, have discovered 11 zero day vulnerabilities in VxWorks®, the most widely used operating system you may never heard about. VxWorks is used by over 2 billion devices including critical industrial, medical and enterprise devices. Dubbed “URGENT/11” the vulnerabilities reside in VxWorks’ TCP/IP stack (IPnet), impacting all versions since version 6.5, and are a rare example of vulnerabilities found to affect the operating system over the last 13 years. Armis has worked closely with Wind River®, the maintainer of VxWorks, and the latest VxWorks 7 released on July 19 contains fixes for all the discovered vulnerabilities.
Six of the vulnerabilities are classified as critical and enable Remote Code Execution (RCE). The 5 remaining vulnerabilities are classified as denial of service, information leaks or logical flaws.
References:


Security Research - White Paper
BlackHat 2019 Presentation Slides
BLOGPOST - URGENT/11 Risk Assessment To Help Enterprises Identify Exposed and Impacted Devices
BLOGPOST - URGENT/11 Presses Further, Affecting Additional RTOSs - Highlights Risks on Medical Devices

Vulnerabilities


CVE
CVSSv3 Score
Description


CVE-2019-12256
9.8
Stack overflow in the parsing of IPv4 packets’ IP options


CVE-2019-12257
8.8
Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc


CVE-2019-12255
9.8
TCP Urgent Pointer = 0 leads to integer underflow


CVE-2019-12260
9.8
TCP Urgent Pointer state confusion caused by malformed TCP AO option


CVE-2019-12261
8.8
TCP Urgent Pointer state confusion during connect() to a remote host


CVE-2019-12263
8.1
TCP Urgent Pointer state confusion due to race condition


CVE-2019-12258
7.5
DoS of TCP connection via malformed TCP options


CVE-2019-12259
6.3
DoS via NULL dereference in IGMP parsing


CVE-2019-12262
7.1
Handling of unsolicited Reverse ARP replies (Logical Flaw)


CVE-2019-12264
7.1
Logical flaw in IPv4 assignment by the ipdhcpc DHCP client


CVE-2019-12265
5.4
IGMP Information leak via IGMPv3 specific membership report


Exploit development status (Last check: 2019-08-12 1655 UTC)


CVE-2019-12255: DoS Exploit published & verified
CVE-2019-12258: DoS Exploit published & verified

Security Advisory Tracking

National / CERT / CSIRT / Authorities


CISA ICS Advisory
CISA ICS Advisory
CISA ICSM Advisory
FDA Advisory
CCCS Security Advisory
AUSCERT Security Advisory
CSIRT GOB CL
CERT-FR
CERT-SE
CNNVD-201907-1490

Original software editor advisory


WindRiver Security Advisory

Vendors responses

ABACO SYSTEMS


https://www.abaco.com/blog/wind-river-ipnet-security-vulnerability-announcement-%E2%80%93-vxworks-bootloaders

ABB


https://new.abb.com/news/detail/28733/cyber-security-notification
http://search.abb.com/library/Download.aspx?DocumentID=8VZZ001892T0001&LanguageCode=en&DocumentPartId=&Action=Launch
http://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A6671&LanguageCode=en&DocumentPartId=&Action=Launch
http://search.abb.com/library/Download.aspx?DocumentID=2GHV057194&LanguageCode=en&DocumentPartId=&Action=Launch
https://search.abb.com/library/Download.aspx?DocumentID=SI20192&LanguageCode=en&DocumentPartId=&Action=Launch
https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A8838&LanguageCode=en&DocumentPartId=&Action=Launch
https://search.abb.com/library/Download.aspx?DocumentID=2PAA120481&LanguageCode=en&DocumentPartId=&Action=Launch

ABBOT


http://www.abbott.com/policies/cybersecurity/vxworks-ipnet-vulnerabilities.html

ACCURAY


https://www.accuray.com/wp-content/uploads/vxworks-urgent11-vulnerability-communication.pdf

Alcatel-Lucent


https://www.al-enterprise.com/en/-/media/assets/internet/documents/n-to-s/sa-g0002_vxworks_urgent_eleven.pdf

AVAYA


https://downloads.avaya.com/css/P8/documents/101060489

Baxter


https://www.baxter.com/sites/g/files/ebysai746/files/2019-09/PS%20Bulletin_092419.pdf

BD (Beckton Dickinson)


https://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletins/interpeak-ipnet-tcp-ip-stack-vulnerability

BELDEN (Hirschmann & Garrettcom)


https://www.belden.com/hubfs/support/security/bulletins/Belden_Security_Bulletin_BSECV-2019-05_1v0.pdf?hsLang=en

Bosch


https://psirt.bosch.com/Advisory/BOSCH-SA-761722.html

BR-AUTOMATION


https://www.br-automation.com/de/service/cyber-security/
Look for "Cyber Security Advisory 01/2019"

Broadcom


https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-840

Canon


https://us.medical.canon/download/VXWorks

CARESTREAM


https://www.carestream.com/en/in/-/media/publicsite/resources/service-and-support-publications/carestream-product-security-advisory---vxworks---urgent-11.pdf?la=en-in

Dräger


https://static.draeger.com/security/download/2019-07-29-URGENT11-WindRiver-VxWorks-Security-Advisory-v3.pdf

Draytek


Support answer: Our products aren't affected, we don't have devices built on VxWorks. (Thanks to L. HSU.)

Edwards LifeSciences


https://www.edwards.com/about-us/product-security

Extreme Networks


https://extremeportal.force.com/ExtrArticleDetail?n=000040646
https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2019-002

F5


https://support.f5.com/csp/article/K30629236
https://support.f5.com/csp/article/K41190253

FORTIGUARD


https://fortiguard.com/psirt/FG-IR-19-222

FUJIFILM SONOSITE


https://www.sonosite.com/support/cybersecurity-alert-urgent-11

General Electric Healthcare


https://www.gehealthcare.com/security
Look for "VxWorks TCP/IP Stack (IPnet) Vulnerabilities"

Honeywell


https://www.honeywellprocess.com/en-US/support/Pages/security-updates.aspx

HPE (Hewlett Packard Enterprise)


https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03960en_us&docLocale=en_US

Medtronic


https://global.medtronic.com/xg-en/product-security/security-bulletins/urgent-11-vulnerabilities.html

National-Instruments


No security advisory yet but a list of their products using VxWorks:
http://www.ni.com/product-documentation/53636/en/

NetApp


https://security.netapp.com/advisory/ntap-20190802-0001/

NihonKohden


https://www.nihonkohden.com/urgent11.html

OMRON


https://www.myomron.com/index.php?action=announcements&id=63&

OPTO22


https://blog.opto22.com/optoblog/opto-22-responds-to-inquiries-regarding-urgent/11

Philips


https://www.usa.philips.com/healthcare/about/customer-support/product-security
Look for "VxWorks Urgent/11 Advisory (1 August 2019)"

Radware


https://support.radware.com/app/answers/answer_view/a_id/1020428/~/cve-2019-12255

Ricoh


https://www.ricoh.com/info/2019/0808_1/

Roche


https://diagnostics.roche.com/global/en/legal/product-security-advisory.html
looks for "URGENT/11 - Multiple vulnerabilities in VxWorks (27 September 2019)"

Rockwell


https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1088561

Schneider Electric


https://www.schneider-electric.com/en/download/document/SESB-2019-214-01/

Siemens


https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-189842.pdf

SonicWall


https://www.sonicwall.com/support/product-notification/?sol_id=190717234810906

SpaceLabs


https://www.spacelabshealthcare.com/products/security/security-advisories-and-archives/urgent-11-vulnerability-in-vxworks-ipnet-service/

Sprecher Automation


https://www.sprecher-automation.com/en/it-security/
Look for "Urgent 11 in Wind River VxWorks"

SuperSonicImagine


https://www.supersonicimagine.fr/content/download/5068/29835/version/1/file/RD.REC.092+%28Rev+A%29+Wind+River+VxWorks+-+URGENT11+Vulnerability.pdf

TERUMOBCT


https://www.terumobct.com/support/product-security
Looks for "Wind River TCP/IP Stack Security Update"

TP-LINK


support answer : " Our VxWorks version is not impacted."

TrendMicro


https://success.trendmicro.com/solution/TP000142898-PB-1080-Wind-River-VxWorks-Vulnerabilities-URGENT-11

Ubiquiti


https://community.ui.com/questions/VxWorks-Urgent-11-Vulnerabilities/f4434472-b9aa-42a3-a8ca-fac5dd2de6f7

WoodWard


https://support.woodward.com/en/kb/articles/preliminary-notice-woodward-security-bulletin-01661-urgent-11
https://support.woodward.com/file.php/1529CZSDRTZZZX1528120139B43/01661-.pdf

Xerox


https://security.business.xerox.com/en-us/news/wind-river-vxworks-ipnet-tcp-ip-stack-vulnerabilities/
https://security.business.xerox.com/wp-content/uploads/2019/09/cert_Security_Mini_Bulletin_XRX19U_for_WorkCentre3335-3345.pdf

XYLEM


https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-vxworks-security-notification.pdf

Detection

Detection of VxWorks URGENT/11 attacks using signatures

FORTIGUARD


https://fortiguard.com/encyclopedia/ips/48263/wind-river-vxworks-large-dhcp-packet-handling-heap-overflow
https://fortiguard.com/encyclopedia/ips/48250/wind-river-vxworks-ao-option-urgent-pointer-integer-underflow
https://fortiguard.com/encyclopedia/ips/48249/wind-river-vxworks-zero-urgent-pointer-integer-underflow
https://fortiguard.com/encyclopedia/ips/48248/wind-river-vxworks-ip-option-handling-stack-overflow

SURICATA

1 : OS-VXWORKS — Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability

alert tcp any any -> any any (flags:U+; msg:”OS-VXWORKS — Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability”; classtype:attempted-admin; reference:cve,2019–12255; reference:cve,2019–12260; reference:cve,2019–12261; reference:cve,2019–12263; reference:url,armis.com/urgent11; rev:1; sid:1000002;)
2 : OS-VXWORKS Illegal use of Urgent pointer — Potential attempt to exploit an Urgent11 RCE vulnerability

alert tcp any any -> any any (flags:SUF+; msg:”OS-VXWORKS Illegal use of Urgent pointer — Potential attempt to exploit an Urgent11 RCE vulnerability”; classtype:attempted-admin; reference:cve,2019–12255; reference:cve,2019–12260; reference:cve,2019–12261; reference:cve,2019–12263; reference:url,armis.com/urgent11; rev:1; sid:1000001;)
3 : OS-VXWORKS Use of LSRR option, potential attempt to exploit an Urgent11 RCE vulnerability

alert ip any any -> any any (ipopts:lsrr; msg:”OS-VXWORKS Use of LSRR option, potential attempt to exploit an Urgent11 RCE vulnerability”; reference:cve,2019–12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev:1; sid:1000003;)
4 : OS-VXWORKS Use of SSRR option, potential attempt to exploit an Urgent11 RCE vulnerability

alert ip any any -> any any (ipopts:ssrr; msg:”OS-VXWORKS Use of SSRR option, potential attempt to exploit an Urgent11 RCE vulnerability”; reference:cve,2019–12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev:1; sid:1000004;)
SNORT / SOURCEFIRE


3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)
Available in 2019-08-20 12:01:10 UTC / Snort Subscriber Rules Update / Sourcefire VRT Certified rule pack Snort version 2091401.

Detection of VxWorks based systems

TENABLE


127108	Wind River VxWorks Multiple Vulnerabilities (URGENT/11)	Nessus	Misc.	2019/07/29	2019/08/05	CRITICAL
127109	Xerox WorkCentre Multiple Vulnerabilities (XRX19-016) (URGENT/11)	Nessus	Misc.	2019/07/29	2019/08/05	CRITICAL
127107	SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11)	Nessus	Firewalls	2019/07/29	2019/08/05	CRITICAL
https://fr.tenable.com/blog/critical-vulnerabilities-dubbed-urgent11-place-devices-running-vxworks-at-risk-of-rce-attacks

QUALYS


QID 13534 Wind River VxWorks Multiple Security Vulnerabilities(URGENT 11) 2019/08/02
https://discussions.qualys.com/docs/DOC-6835-dashboard-toolbox-query-for-urgent11
CVE	CVSSv3 Score	Description
CVE-2019-12256	9.8	Stack overflow in the parsing of IPv4 packets’ IP options
CVE-2019-12257	8.8	Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc
CVE-2019-12255	9.8	TCP Urgent Pointer = 0 leads to integer underflow
CVE-2019-12260	9.8	TCP Urgent Pointer state confusion caused by malformed TCP AO option
CVE-2019-12261	8.8	TCP Urgent Pointer state confusion during connect() to a remote host
CVE-2019-12263	8.1	TCP Urgent Pointer state confusion due to race condition
CVE-2019-12258	7.5	DoS of TCP connection via malformed TCP options
CVE-2019-12259	6.3	DoS via NULL dereference in IGMP parsing
CVE-2019-12262	7.1	Handling of unsolicited Reverse ARP replies (Logical Flaw)
CVE-2019-12264	7.1	Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
CVE-2019-12265	5.4	IGMP Information leak via IGMPv3 specific membership report